π Key Generation for Mainnet
Importantβ
- It is highly recommended that you perform this step using an air-gapped machine (a device that has never connected to the public internet).
- If this is not available, turn off all internet and wireless connections (Ethernet, WiFi, Bluetooth) before proceeding.
- In both cases, ensure youβre in a safe environment with a trusted network and physically block all camera devices.
- Generate the keys using 0x01 Withdrawal Credentials with deposit amount set to 32 ETH.
Creating an air-gapped machineβ
- Buy a cheap single-board computer (e.g., Raspberry Pi).
- OSβonβaβstick: Flash a USB drive with TailsOS and run from USBβno files persist after removal.
We will cover Method 2 (executable binaries) in this guide.
What you will needβ
- Two new, empty USB drives
- A paper notebook and pencil
- 100% FOCUS
Download the validator keystore generation fileβ
- Wagyu Keygen
- Executable binaries
- Build from source
This GUI method generates keystores, deposit data, and mnemonic.
- Download the Linux executable from wagyu.gg.
- Copy it onto a new USB drive.
Downloading the executable binary fileβ
On your working laptop:
cd ~
curl -LO https://github.com/ethereum/staking-deposit-cli/releases/download/v2.7.0/staking_deposit-cli-fdab65d-linux-amd64.tar.gz
echo "ac3151843d681c92ae75567a88fbe0e040d53c21368cc1ed1a8c3d9fb29f2a3a staking_deposit-cli-fdab65d-linux-amd64.tar.gz" | sha256sum --check
Expected output:
staking_deposit-cli-fdab65d-linux-amd64.tar.gz: OK
After verification, move the .tar.gz
file onto a new USB drive.
No action needed at this step.
Flash and install OSβ
- Download latest TailsOS and verify checksums.
- Flash a USB drive with your preferred OS using BalenaEtcher. See TailsOS on USB guide β
Boot menu keys for laptop models
- Non-Apple/Mac: consult [techofide guide] for keys.
- Apple/Mac: consult [Apple support].
- Boot from the USB drive; you should see βTails.β
- Select Try or Install Tails
- Click +, set an admin password, then Start Tails
Generate your validator signing keysβ
- Wagyu Keygen
- Executable binaries
- Build from source
Wagyu Keygenβ
Before proceedingβ
- Turn off Ethernet, WiFi, Bluetooth.
- Physically cover all camera devices.
Load the USB drive with Wagyu Keygen
to the fresh OS.
Run the GUI and:
- Create a secret recovery phrase.
- Select network (Mainnet/Hoodi).
- Write down and confirm the phrase.
- Choose number of keys.
- Encrypt keystores with a password.
- IMPORTANT: Set withdrawal address to the Lido Withdrawal Vault in Ethereum Mainnet:
0xB9D7934878B5FB9610B3fE8A5e441e8fad7E293f
- Confirm password.
- Save keystores & deposit data to a USB drive.
Executable binariesβ
Load the USB drive with the .tar.gz
file to the fresh OS. Open terminal:
cd Desktop
tar xvf staking_deposit-cli-fdab65d-linux-amd64.tar.gz
cd staking_deposit-cli-fdab65d-linux-amd64
Before proceedingβ
- Turn off Ethernet, WiFi, Bluetooth.
- Cover camera devices.
Generate keys:
./deposit new-mnemonic --num_validators <number> --chain mainnet --eth1_withdrawal_address <YourWithdrawalAddress>
Expected output:
Mnemonic generatedβwrite it down on paper:
Verify by retyping phrase; youβll see a Rhino ASCII art:
Store generated files on a new USB drive; remove OS-on-a-stick.
Build from sourceβ
On the fresh OS, install dependencies:
sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt install python3-venv python3-pip python3-virtualenv git
Create venv & clone tool:
virtualenv venv
source venv/bin/activate
git clone https://github.com/ethereum/staking-deposit-cli.git
cd staking-deposit-cli
pip3 install -r requirements.txt
Before proceedingβ
- Turn off Ethernet, WiFi, Bluetooth.
- Cover camera devices.
Generate keys:
python3 ./deposit.py new-mnemonic --num_validators <number> --chain mainnet --eth1_withdrawal_address <YourWithdrawalAddress>
Import Validator Key to your Nodeβ
- Dappnode
- EthPillar
- Stereum
- Sedge
- Eth Docker
- Systemd
Go to Stakers β Ethereum in Dappnode UI, click Upload Keystores.
Import your keystores and enter passwords.
Tag them βLidoβ; fee recipient set to 0x388C818CA8B9251b393131C08a736A67ccB19297
.
Locate keystore path:
cat $(find /var/lib -name "keystore*.json" 2>/dev/null)
Run:
ethpillar
Select Validator Client β Generate / Import Validator Keys β Import from backup and paste path.
In Staking tab of Stereum Launcher, drag & drop keystores, enter password, click β.
To import keys in sedge, you just have to run:
sedge import-key --from `path-to-keys` -n `network` --start-validator `name-of-validator-client`
This will copy the keys from the specified path, ensure are set to the correct network, and help Sedge know how to import them based on the used client.
Move keystores into ~/eth-docker/.eth/validator_keys
, adjust permissions, then:
ethd keys import
Refer to Advanced β Systemd β Method 2 for systemd instructions: