keosd
is a key manager service daemon for storing private keys and signing digital messages. It provides a secure key storage medium for keys to be encrypted at rest in the associated wallet file. keosd
also defines a secure enclave for signing transaction created by cleos
or a third part library.
When a wallet is unlocked with the corresponding password, cleos
can request keosd
to sign a transaction with the appropriate private keys.
keosd
is intended to be used by developers only.
Recommended Usage For most users, the easiest way to use
keosd
is to have cleos launch it automatically. Wallet files will be created in the default directory (~/eosio-wallet
).
keosd
can be launched manually from the terminal by running:
$ keosd
By default, keosd
creates the folder ~/eosio-wallet
and populates it with a basic config.ini
file. The location of the config file can be specified on the command line using the --config-dir
argument. The configuration file contains the HTTP server endpoint for incoming HTTP connections and other parameters for cross-origin resource sharing.
By default, keosd
is set to lock your wallet after 15 minutes of inactivity. This is configurable in the config.ini
by setting the timeout seconds in unlock-timeout
. Setting it to 0 will cause keosd
to always lock your wallet.
The most effective way to stop keosd
is to find the keosd
process and send a SIGTERM signal to it.
For a list of all commands known to keosd
, simply run it with no arguments:
$ keosd --help
Application Options:Config Options for eosio::http_plugin:--unix-socket-path arg (=keosd.sock) The filename (relative to data-dir) tocreate a unix socket for HTTP RPC; setblank to disable.--http-server-address arg The local IP and port to listen forincoming http connections; leave blankto disable.--https-server-address arg The local IP and port to listen forincoming https connections; leave blankto disable.--https-certificate-chain-file arg Filename with the certificate chain topresent on https connections. PEMformat. Required for https.--https-private-key-file arg Filename with https private key in PEMformat. Required for https--access-control-allow-origin arg Specify the Access-Control-Allow-Originto be returned on each request.--access-control-allow-headers arg Specify the Access-Control-Allow-Headers to be returned on each request.--access-control-max-age arg Specify the Access-Control-Max-Age tobe returned on each request.--access-control-allow-credentials Specify if Access-Control-Allow-Credentials: true should be returned on eachrequest.--max-body-size arg (=1048576) The maximum body size in bytes allowedfor incoming RPC requests--http-max-bytes-in-flight-mb arg (=500)Maximum size in megabytes http_pluginshould use for processing httprequests. 503 error response whenexceeded.--verbose-http-errors Append the error log to HTTP responses--http-validate-host arg (=1) If set to false, then any incoming"Host" header is considered valid--http-alias arg Additionaly acceptable values for the"Host" header of incoming HTTPrequests, can be specified multipletimes. Includes http/s_server_addressby default.--http-threads arg (=2) Number of worker threads in http threadpoolConfig Options for eosio::wallet_plugin:--wallet-dir arg (=".") The path of the wallet files (absolutepath or relative to application datadir)--unlock-timeout arg (=900) Timeout for unlocked wallet in seconds(default 900 (15 minutes)). Walletswill automatically lock after specifiednumber of seconds of inactivity.Activity is defined as any walletcommand e.g. list-wallets.--yubihsm-url URL Override default URL ofhttp://localhost:12345 for connectingto yubihsm-connector--yubihsm-authkey key_num Enables YubiHSM support using givenAuthkeyApplication Config Options:--plugin arg Plugin(s) to enable, may be specifiedmultiple timesApplication Command Line Options:-h [ --help ] Print this help message and exit.-v [ --version ] Print version information.--print-default-config Print default configuration template-d [ --data-dir ] arg Directory containing program runtimedata--config-dir arg Directory containing configurationfiles such as config.ini-c [ --config ] arg (=config.ini) Configuration file name relative toconfig-dir-l [ --logconf ] arg (=logging.json) Logging configuration file name/pathfor library users