Setting Up Payment and Stake Keys

First, obtain the protocol-parameters.

Wait for the block-producing node to start syncing before continuing if you get this error message.

cardano-cli: Network.Socket.connect: : does not exist (No such file or directory)

cardano-cli query protocol-parameters \
    --mainnet \
    --out-file params.json

Payment keys are used to send and receive payments and stake keys are used to manage stake delegations.

There are two ways to create your payment and stake key pair. Pick the one that best suits your needs.

Critical Operational Security Advice: payment and stake keys must be generated and used to build transactions in an cold environment. In other words, your air-gapped offline machine. Copy cardano-cli binary over to your offline machine and run the CLI method or mnemonic method. The only steps performed online in a hot environment are those steps that require live data. Namely the follow type of steps:

querying the current slot tip
querying the balance of an address
submitting a transaction

Create a new payment key pair: payment.skey & payment.vkey

###
### On air-gapped offline machine,
###
cd $NODE_HOME
cardano-cli address key-gen \
    --verification-key-file payment.vkey \
    --signing-key-file payment.skey

Create a new stake address key pair: stake.skey & stake.vkey

###
### On air-gapped offline machine,
###
cardano-cli stake-address key-gen \
    --verification-key-file stake.vkey \
    --signing-key-file stake.skey

Create your stake address from the stake address verification key and store it in stake.addr

###
### On air-gapped offline machine,
###
cardano-cli stake-address build \
    --stake-verification-key-file stake.vkey \
    --out-file stake.addr \
    --mainnet

Build a payment address for the payment key payment.vkey which will delegate to the stake address, stake.vkey

###
### On air-gapped offline machine,
###
cardano-cli address build \
    --payment-verification-key-file payment.vkey \
    --stake-verification-key-file stake.vkey \
    --out-file payment.addr \
    --mainnet

Credits to ilap for creating this process.

Benefits: Track and control pool rewards from any wallet (Daedalus, Yoroi or any other wallet) that support stakings.

Create a 15-word or 24-word length shelley compatible mnemonic with Daedalus or Yoroi on a offline machine preferred.

Using your online block producer node, download cardano-wallet

###
### On block producer node,
###
cd $NODE_HOME
wget https://github.com/input-output-hk/cardano-wallet/releases/download/v2022-08-16/cardano-wallet-v2022-08-16-linux64.tar.gz

Transfer the cardano-wallet to your air-gapped offline machine via USB key or other removable media.

Extract the wallet files and cleanup.

###
### On air-gapped offline machine,
###
tar -xvf cardano-wallet-v2022-08-16-linux64.tar.gz
rm cardano-wallet-v2022-08-16-linux64.tar.gz
cd cardano-wallet-v2022-08-16-linux64

CreateextractPoolStakingKeys.sh script.

###
### On air-gapped offline machine,
###
cat > extractPoolStakingKeys.sh << HERE
#!/bin/bash 

CADDR=\${CADDR:=\$( which cardano-address )}
[[ -z "\$CADDR" ]] && ( echo "cardano-address cannot be found, exiting..." >&2 ; exit 127 )

CCLI=\${CCLI:=\$( which cardano-cli )}
[[ -z "\$CCLI" ]] && ( echo "cardano-cli cannot be found, exiting..." >&2 ; exit 127 )

OUT_DIR="\$1"
[[ -e "\$OUT_DIR"  ]] && {
       	echo "The \"\$OUT_DIR\" is already exist delete and run again." >&2 
       	exit 127
} || mkdir -p "\$OUT_DIR" && pushd "\$OUT_DIR" >/dev/null

shift
MNEMONIC="\$*"

# Generate the master key from mnemonics and derive the stake account keys 
# as extended private and public keys (xpub, xprv)
echo "\$MNEMONIC" |\
"\$CADDR" key from-recovery-phrase Shelley > root.prv

cat root.prv |\
"\$CADDR" key child 1852H/1815H/0H/2/0 > stake.xprv

cat root.prv |\
"\$CADDR" key child 1852H/1815H/0H/0/0 > payment.xprv

TESTNET=0
MAINNET=1
NETWORK=\$MAINNET

cat payment.xprv |\
"\$CADDR" key public --with-chain-code | tee payment.xpub |\
"\$CADDR" address payment --network-tag \$NETWORK |\
"\$CADDR" address delegation \$(cat stake.xprv | "\$CADDR" key public --with-chain-code | tee stake.xpub) |\
tee base.addr_candidate |\
"\$CADDR" address inspect
echo "Generated from 1852H/1815H/0H/{0,2}/0"
cat base.addr_candidate
echo

# XPrv/XPub conversion to normal private and public key, keep in mind the 
# keypars are not a valid Ed25519 signing keypairs.
TESTNET_MAGIC="--testnet-magic 1097911063"
MAINNET_MAGIC="--mainnet"
MAGIC="\$MAINNET_MAGIC"

SESKEY=\$( cat stake.xprv | bech32 | cut -b -128 )\$( cat stake.xpub | bech32)
PESKEY=\$( cat payment.xprv | bech32 | cut -b -128 )\$( cat payment.xpub | bech32)

cat << EOF > stake.skey
{
    "type": "StakeExtendedSigningKeyShelley_ed25519_bip32",
    "description": "",
    "cborHex": "5880\$SESKEY"
}
EOF

cat << EOF > payment.skey
{
    "type": "PaymentExtendedSigningKeyShelley_ed25519_bip32",
    "description": "Payment Signing Key",
    "cborHex": "5880\$PESKEY"
}
EOF

"\$CCLI" key verification-key --signing-key-file stake.skey --verification-key-file stake.evkey
"\$CCLI" key verification-key --signing-key-file payment.skey --verification-key-file payment.evkey

"\$CCLI" key non-extended-key --extended-verification-key-file payment.evkey --verification-key-file payment.vkey
"\$CCLI" key non-extended-key --extended-verification-key-file stake.evkey --verification-key-file stake.vkey


"\$CCLI" stake-address build --stake-verification-key-file stake.vkey \$MAGIC > stake.addr
"\$CCLI" address build --payment-verification-key-file payment.vkey \$MAGIC > payment.addr
"\$CCLI" address build \
    --payment-verification-key-file payment.vkey \
    --stake-verification-key-file stake.vkey \
    \$MAGIC > base.addr

echo "Important the base.addr and the base.addr_candidate must be the same"
diff base.addr base.addr_candidate
popd >/dev/null
HERE

Add permissions and export PATH to use the binaries.

###
### On air-gapped offline machine,
###
chmod +x extractPoolStakingKeys.sh
export PATH=$PATH:$(pwd)

Extract your keys. Update the command with your mnemonic phrase.

###
### On air-gapped offline machine,
###
./extractPoolStakingKeys.sh extractedPoolKeys/ <15|24-word length mnemonic>

Important: The base.addr and the base.addr_candidate must be the same. Review the screen output.

Your new staking keys are in the folder extractedPoolKeys/

Now move payment/stake key pair over to your $NODE_HOME for use with your stake pool.

###
### On air-gapped offline machine,
###
cd extractedPoolKeys/
cp stake.vkey stake.skey stake.addr payment.vkey payment.skey base.addr $NODE_HOME
cd $NODE_HOME
#Rename to base.addr file to payment.addr
mv base.addr payment.addr

payment.addr, or also known as base.addr from this extraction script, will be the cardano address which holds your pool's pledge.

Clear the bash history in order to protect your mnemonic phrase and remove the cardano-wallet files.

###
### On air-gapped offline machine,
###
history -c && history -w

Finally close all your terminal windows and open new ones with zero history.

Awesome. Now you can track your pool rewards in your wallet.

Next step is to fund your payment address.

Copy payment.addr to your hot environment.

Payment address can be funded from your Daedalus / Yoroi wallet.

Run the following to find your payment address.

cat payment.addr

After funding your account, check your payment address balance.

Before continuing, your nodes must be fully synchronized to the blockchain. Otherwise, you won't see your funds.

cardano-cli query utxo \
    --address $(cat payment.addr) \
    --mainnet

You should see output similar to this. This is your unspent transaction output (UXTO).

                           TxHash                                 TxIx        Lovelace
----------------------------------------------------------------------------------------
100322a39d02c2ead....                                              0        1000000000

PreviousGenerating Keys for the Block-producing Node NextRegistering Your Stake Address

### ### On air-gapped offline machine, ### cardano-cli address build \ --payment-verification-key-file payment.vkey \ --stake-verification-key-file stake.vkey \ --out-file payment.addr \ --mainnet

### ### On air-gapped offline machine, ### cat > extractPoolStakingKeys.sh << HERE #!/bin/bash CADDR=\${CADDR:=\$( which cardano-address )} [[ -z "\$CADDR" ]] && ( echo "cardano-address cannot be found, exiting..." >&2 ; exit 127 ) CCLI=\${CCLI:=\$( which cardano-cli )} [[ -z "\$CCLI" ]] && ( echo "cardano-cli cannot be found, exiting..." >&2 ; exit 127 ) OUT_DIR="\$1" [[ -e "\$OUT_DIR" ]] && { echo "The \"\$OUT_DIR\" is already exist delete and run again." >&2 exit 127 } || mkdir -p "\$OUT_DIR" && pushd "\$OUT_DIR" >/dev/null shift MNEMONIC="\$*" # Generate the master key from mnemonics and derive the stake account keys # as extended private and public keys (xpub, xprv) echo "\$MNEMONIC" |\ "\$CADDR" key from-recovery-phrase Shelley > root.prv cat root.prv |\ "\$CADDR" key child 1852H/1815H/0H/2/0 > stake.xprv cat root.prv |\ "\$CADDR" key child 1852H/1815H/0H/0/0 > payment.xprv TESTNET=0 MAINNET=1 NETWORK=\$MAINNET cat payment.xprv |\ "\$CADDR" key public --with-chain-code | tee payment.xpub |\ "\$CADDR" address payment --network-tag \$NETWORK |\ "\$CADDR" address delegation \$(cat stake.xprv | "\$CADDR" key public --with-chain-code | tee stake.xpub) |\ tee base.addr_candidate |\ "\$CADDR" address inspect echo "Generated from 1852H/1815H/0H/{0,2}/0" cat base.addr_candidate echo # XPrv/XPub conversion to normal private and public key, keep in mind the # keypars are not a valid Ed25519 signing keypairs. TESTNET_MAGIC="--testnet-magic 1097911063" MAINNET_MAGIC="--mainnet" MAGIC="\$MAINNET_MAGIC" SESKEY=\$( cat stake.xprv | bech32 | cut -b -128 )\$( cat stake.xpub | bech32) PESKEY=\$( cat payment.xprv | bech32 | cut -b -128 )\$( cat payment.xpub | bech32) cat << EOF > stake.skey { "type": "StakeExtendedSigningKeyShelley_ed25519_bip32", "description": "", "cborHex": "5880\$SESKEY" } EOF cat << EOF > payment.skey { "type": "PaymentExtendedSigningKeyShelley_ed25519_bip32", "description": "Payment Signing Key", "cborHex": "5880\$PESKEY" } EOF "\$CCLI" key verification-key --signing-key-file stake.skey --verification-key-file stake.evkey "\$CCLI" key verification-key --signing-key-file payment.skey --verification-key-file payment.evkey "\$CCLI" key non-extended-key --extended-verification-key-file payment.evkey --verification-key-file payment.vkey "\$CCLI" key non-extended-key --extended-verification-key-file stake.evkey --verification-key-file stake.vkey "\$CCLI" stake-address build --stake-verification-key-file stake.vkey \$MAGIC > stake.addr "\$CCLI" address build --payment-verification-key-file payment.vkey \$MAGIC > payment.addr "\$CCLI" address build \ --payment-verification-key-file payment.vkey \ --stake-verification-key-file stake.vkey \ \$MAGIC > base.addr echo "Important the base.addr and the base.addr_candidate must be the same" diff base.addr base.addr_candidate popd >/dev/null HERE

### ### On air-gapped offline machine, ### cd extractedPoolKeys/ cp stake.vkey stake.skey stake.addr payment.vkey payment.skey base.addr $NODE_HOME cd $NODE_HOME #Rename to base.addr file to payment.addr mv base.addr payment.addr

TxHash TxIx Lovelace ---------------------------------------------------------------------------------------- 100322a39d02c2ead.... 0 1000000000