keytool
Sui Keystore Tool
The Sui Keystore Tool is a command-line tool that provides various functionalities related to key management for the Sui network. It supports the following commands:
Usage
movement sui keytool [OPTIONS] <COMMAND>
Commands
convert
Convert private key from wallet format (hex of 32 byte private key) to sui.keystore format (base64 of 33 byte flag || private key) or vice versa.decode-tx-bytes
Given a Base64 encoded transaction bytes, decode its components.decode-multi-sig
Given a Base64 encoded MultiSig signature, decode its components. Iftx_bytes
is passed in, verify the multisig.generate
Generate a new keypair with key scheme flag{ed25519 | secp256k1 | secp256r1}
with optional derivation path. Default derivation paths arem/44'/784'/0'/0'/0'
for ed25519,m/54'/784'/0'/0/0
for secp256k1, andm/74'/784'/0'/0/0
for secp256r1. Word length can be{ word12 | word15 | word18 | word21 | word24}
. Default word length isword12
if not specified.import
Add a new key to sui.keystore. Supports adding key using either the input mnemonic phrase or a private key (from the Wallet). Key scheme flag{ed25519 | secp256k1 | secp256r1}
and an optional derivation path can be specified. Default derivation paths arem/44'/784'/0'/0'/0'
for ed25519,m/54'/784'/0'/0/0
for secp256k1, andm/74'/784'/0'/0/0
for secp256r1. Supports mnemonic phrase of word length 12, 15, 18, 21, 24.list
List all keys in sui.keystore. Each key is displayed with its Sui address, Base64 encoded public key, and key scheme name.load-keypair
Read the content at the provided file path. The accepted format can be (Base64 encoded of 33-byteflag || privkey
) ortype AuthorityKeyPair
(Base64 encodedprivkey
). This command prints out the account keypair, network keypair, worker keypair, and protocol keypair as Base64 encoded private keys.multi-sig-address
Generate a MultiSig Sui Address. Pass in a list of all public keys (flag || pk
in Base64).multi-sig-combine-partial-sig
Provides a list of participating signatures (flag || sig || pk
encoded in Base64), threshold, a list of all public keys, and a list of their weights that define the MultiSig address. Returns a valid MultiSig signature and its sender address. The result can be used as the signature field forsui client execute-signed-tx
. The sum of weights of all signatures must be greater than or equal to the threshold.multi-sig-combine-partial-sig-legacy
show
Read the content at the provided file path. The accepted format can be (Base64 encoded of 33-byteflag || privkey
) ortype AuthorityKeyPair
(Base64 encodedprivkey
). It prints out the Base64 encoded public key and the key scheme flag.sign
Create a signature using the private key for the given address in sui keystore. The signature commits to a consisting of the Base64 encoded of the BCS serialized transaction bytes itself and its intent. If the intent is absent, the default intent will be used.sign-kms
Creates a signature by leveraging AWS KMS. Pass in a key-id to leverage Amazon KMS to sign a message and the Base64 encoded pubkey. Generate PubKey from pem using MystenLabs/base64pemkey. The signature commits to a consisting of the Base64 encoded of the BCS serialized transaction bytes itself and its intent. If the intent is absent, the default intent will be used.unpack
This command takes of Base64 encoded of 33-byteflag || privkey
). It outputs the keypair into a file at the current directory where the address is the filename, and prints out its Sui address, Base64 encoded public key, the key scheme, and the key scheme flag.zk-login-sign-and-execute-tx
Given themax_epoch
, generate an OAuth URL, ask the user to paste the redirect withid_token
, call the salt server, then call the prover server, create a test transaction, and use the ephemeral key to sign and execute it by assembling to a serialized zkLogin signature.zk-login-enter-token
A workaround to the above command because sometimes token pasting does not work. All the inputs required here are printed from the command above.zk-login-sig-verify
Given a zkLogin signature, parse it if valid. Ifbytes
are provided, parse them as either TransactionData or PersonalMessage based onintent_scope
. It verifies the zkLogin signature based on its latest JWK fetched.zk-login-insecure-sign-personal-message
TESTING ONLY: Given a string of data, sign with the fixed dev-only ephemeral key and output a zkLogin signature with a fixed dev-only proof with a fixed max epoch of 10.help
Print this message or the help of the given subcommand(s).
Options
--keystore-path <KEYSTORE_PATH>
Path to the keystore file.--json
Return command outputs in JSON format.-h
,--help
Print help.-V
,--version
Print version.
Last updated