Managing Accounts in Your Wallet
The wallet
command is used to manage accounts in your wallet. The wallet
can contain file-based accounts which are stored along your Oasis CLI
configuration, or a reference to an account stored on your hardware wallet.
The following encryption algorithms and derivation paths are supported by the Oasis CLI for your accounts:
ed25519-adr8
: Ed25519 keypair using the ADR-8 derivation path in order to obtain a private key from the mnemonic. This is the default setting suitable for accounts on the Oasis consensus layer and Cipher.secp256k1-bip44
: Secp256k1 Ethereum-compatible keypair using BIP-44 with ETH coin type to derive a private key. This setting is used for accounts living on EVM-compatible ParaTimes such as Sapphire or Emerald. The same account can be imported into Metamask and other Ethereum wallets.ed25519-raw
: Ed25519 keypair imported directly from the Base64-encoded private key. No key derivation is involved. This setting is primarily used by the network validators to sign the governance and other consensus-layer transactions.ed25519-legacy
: Ed25519 keypair using a legacy 5-component derivation path. This is the preferred setting for Oasis accounts stored on a hardware wallet like Ledger. It is called legacy, because it was first implemented before the ADR-8 was standardized.sr25519-adr8
: Sr25519 keypair using the ADR-8 derivation path. This is an alternative signature scheme for signing ParaTime transactions.secp256k1-raw
andsr25519-raw
: Respective Secp256k1 and Sr25519 keypairs imported directly from the Hex- or Base64-encoded private key. No key derivation is involved.
For compatibility with Ethereum, each secp256k1
account corresponds to two
addresses:
- 20-byte hex-encoded Ethereum-compatible address, e.g.
0xDCbF59bbcC0B297F1729adB23d7a5D721B481BA9
- Bech32-encoded Oasis native address, e.g.
oasis1qq3agel5x07pxz08ns3d2y7sjrr3xf9paquhhhzl
.
There exists a mapping from the Ethereum address to the native Oasis address as in the example above, but there is no reverse mapping.
Create an Account
The wallet create <name>
command is used add a new account into your Oasis
CLI wallet by:
- generating a new mnemonic and storing it into a file-based wallet, or
- creating a reference to an account stored on your hardware wallet.
By default, a password-encrypted file-based wallet will be used for storing the private key. You will have to enter the password for this account each time to access use it for signing the transactions (e.g. to send tokens). The account address is public and can be accessed without entering the passphrase.
oasis wallet create oscar
? Choose a new passphrase:
? Repeat passphrase:
The first account you create or import will become your default account.
This means it will automatically be selected as a source for sending funds or
calling smart contracts unless specified otherwise by using --account <name>
flag. You can always change the default account later.
To use your hardware wallet, add --kind ledger
parameter and Oasis CLI will
store a reference to an account on your hardware wallet:
oasis wallet create logan --kind ledger
A specific account kind (ed25519-adr8
, secp256k1-bip44
) and the derivation
path number can be passed with --file.algorithm
and --file.number
or
--ledger.algorithm
and --ledger.number
respectively. For example:
oasis wallet create logan --kind ledger
When creating a hardware wallet account, Oasis CLI will:
- obtain the public key of the account from your hardware wallet,
- compute the corresponding native address, and
- store the Oasis native address into the Oasis CLI.
If you try to open the same account with a different Ledger device or reset your Ledger with a new mnemonic, Oasis CLI will abort because the address of the account obtained from the new device will not match the one stored in your config.
oasis wallet show logan
Error: address mismatch after loading account (expected: oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl got: oasis1qzdyu09x7hs5nqa0sjgy5jtmz3j5f99ccq0aezjk)
Import an Existing Keypair or a Mnemonic
If you already have a mnemonic or a raw private key, you can import it
as a new account by invoking wallet import
. You will be asked
interactively to select an account kind (mnemonic
or private key
),
encryption algorithm (ed25519
or secp256k1
) and then provide either the
mnemonic with the derivation number, or the raw private key in the corresponding
format.
Importing an account with a mnemonic looks like this:
oasis wallet import eugene
? Kind: mnemonic
? Algorithm: secp256k1-bip44
? Key number: 0
? Mnemonic: [Enter 2 empty lines to finish]man ankle mystery favorite tone number ice west spare marriage control lucky life together neither
? Mnemonic:
man ankle mystery favorite tone number ice west spare marriage control lucky life together neither
? Choose a new passphrase:
? Repeat passphrase:
Let's make another Secp256k1 account and entering a hex-encoded raw private key:
oasis wallet import emma
oasis wallet import emma
? Kind: private key
? Algorithm: secp256k1-raw
? Private key (hex-encoded): [Enter 2 empty lines to finish]4811ebbe4f29f32a758f6f7bad39deb97ea67f07350637e31c75795dc679262a
? Private key (hex-encoded):
4811ebbe4f29f32a758f6f7bad39deb97ea67f07350637e31c75795dc679262a
? Choose a new passphrase:
? Repeat passphrase:
To override the defaults, you can pass --algorithm
, --number
and --secret
parameters. This is especially useful, if you are running the command in a
non-interactive mode:
oasis wallet import eugene --algorithm secp256k1-bip44 --number 0 --secret "man ankle mystery favorite tone number ice west spare marriage control lucky life together neither" -y
Since the account's secret is provided as a command line parameter in the non-interactive mode, make sure you read the account's secret from a file or an environment variable. Otherwise, the secret may be stored and exposed in your shell history.
Also, protecting your account with a password is currently not supported in the non-interactive mode.
List Accounts Stored in Your Wallet
You can list all available accounts in your wallet with wallet list
:
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
lenny ledger (secp256k1-bip44:3) oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar (*) file (ed25519-adr8:0) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
Above, you can see the native Oasis addresses of all local accounts. The
default account has a special (*)
sign next to its name.
Show Account Configuration Details
To verify whether an account exists in your wallet, use wallet show <name>
.
This will print the account's native address and the public key which requires
entering your account's password.
oasis wallet show oscar
Unlock your account.
? Passphrase:
Name: oscar
Kind: file (ed25519-adr8:0)
Public Key: Bx6gOixnxy15tCs09ua5DcKyX9uo2Forb32O6Hyjoc8=
Native address: oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
For secp256k1
accounts Ethereum's hex-encoded address will also be printed.
oasis wallet show eugene
Unlock your account.
? Passphrase:
Name: eugene
Kind: file (secp256k1-bip44:0)
Public Key: ArEjDxsPfDvfeLlity4mjGzy8E/nI4umiC8vYQh+eh/c
Ethereum address: 0xBd16C6bF701a01DF1B5C11B14860b6bDbE776669
Native address: oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
Showing an account stored on your hardware wallet will require connecting it to your computer:
oasis wallet show logan
Name: logan
Kind: ledger (ed25519-legacy:0)
Public Key: l+cuboPsOeuY1+kYlROrpmKgiiELmXSw9xl0WEg8cWE=
Native address: oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
Export the Account's Secret
You can obtain the secret material of a file-based account such as the mnemonic
or the private key by running wallet export <name>
.
For example:
oasis wallet export oscar
WARNING: Exporting the account will expose secret key material!
Unlock your account.
? Passphrase:
Name: oscar
Kind: file (ed25519-adr8:0)
Public Key: Bx6gOixnxy15tCs09ua5DcKyX9uo2Forb32O6Hyjoc8=
Native address: oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
Secret mnemonic:
promote easily runway junior saddle gold flip believe wet example amount believe habit mixed pistol lemon increase moon rail mail fiction miss clip asset
Derived secret key for account number 0:
LHOUUJgVquTdi/3DVsS4caW4jQcvuFgl1Oag6BwlNvwHHqA6LGfHLXm0KzT25rkNwrJf26jYWitvfY7ofKOhzw==
The same goes for your Secp256k1 accounts:
oasis wallet export eugene
WARNING: Exporting the account will expose secret key material!
Unlock your account.
? Passphrase:
Name: eugene
Kind: file (secp256k1-bip44:0)
Public Key: ArEjDxsPfDvfeLlity4mjGzy8E/nI4umiC8vYQh+eh/c
Ethereum address: 0xBd16C6bF701a01DF1B5C11B14860b6bDbE776669
Native address: oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
Secret mnemonic:
man ankle mystery favorite tone number ice west spare marriage control lucky life together neither
Derived secret key for account number 0:
c559cad1e71e0db1b3a657f47ca7a618bfb6a51a7294df72bcfca57aded5377e
oasis wallet export emma
WARNING: Exporting the account will expose secret key material!
Unlock your account.
? Passphrase:
Name: emma
Kind: file (secp256k1-raw)
Public Key: Az8B2UpSUET0E3n9XMzr+HBvviQKcRvz6C6bJtRFWNYG
Ethereum address: 0xeEbE22411f579682F6f9D68f4C19B3581bCb576b
Native address: oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
Secret key:
4811ebbe4f29f32a758f6f7bad39deb97ea67f07350637e31c75795dc679262a
Trying to export an account stored on your hardware wallet will only export its public key:
oasis wallet export lenny
WARNING: Exporting the account will expose secret key material!
Name: lenny
Kind: ledger (secp256k1-bip44:3)
Public Key: AhhT2TUkEZ7rMasLBvHcsGj4SUO7Iw36ELEpL0evZDV1
Ethereum address: 0x95e5e3C1BDD92cd4A0c14c62480DB5867946281D
Native address: oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
Renaming the Account
To rename an account, run wallet rename <old_name> <new_name>
.
For example:
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
lenny ledger (secp256k1-bip44:3) oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar (*) file (ed25519-adr8:0) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
oasis wallet rename lenny lester
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
lester ledger (secp256k1-bip44:3) oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar (*) file (ed25519-adr8:0) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
Deleting an Account
To irreversibly delete the accounts from your wallet use
wallet remove [names]
. For file-based accounts this will delete the file
containing the private key from your disk. For hardware wallet accounts this
will delete the Oasis CLI reference, but the private keys will remain intact on
your hardware wallet.
For example, let's delete lenny
account:
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
lenny ledger (secp256k1-bip44:3) oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar (*) file (ed25519-adr8:0) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
oasis wallet remove lenny
WARNING: Removing the account will ERASE secret key material!
WARNING: THIS ACTION IS IRREVERSIBLE!
? Enter 'I really want to remove account lenny' (without quotes) to confirm removal: I really want to remove account lenny
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar (*) file (ed25519-raw) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
You can also delete accounct in non-interactive mode format by passing the
-y
parameter:
oasis wallet remove lenny -y
Set Default Account
To change your default account, use wallet set-default <name>
and the
name of the desired default account.
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
lenny ledger (secp256k1-bip44:3) oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar (*) file (ed25519-adr8:0) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
oasis wallet set-default lenny
oasis wallet list
ACCOUNT KIND ADDRESS
emma file (secp256k1-raw) oasis1qph93wnfw8shu04pqyarvtjy4lytz3hp0c7tqnqh
eugene file (secp256k1-bip44:0) oasis1qrvzxld9rz83wv92lvnkpmr30c77kj2tvg0pednz
lenny (*) ledger (secp256k1-bip44:3) oasis1qrmw4rhvp8ksj3yx6p2ftnkz864muc3re5jlgall
logan ledger (ed25519-legacy:0) oasis1qpl4axynedmdrrgrg7dpw3yxc4a8crevr5dkuksl
oscar file (ed25519-adr8:0) oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
Advanced
Import an Existing Keypair from PEM file
Existing node operators may already use their Ed25519 private key for running
their nodes stored in a PEM-encoded file typically named entity.pem
. In order
to submit their governance transaction, for example to vote on the network
upgrade using the Oasis CLI, they need to import the key into the Oasis CLI
wallet:
oasis wallet import-file my_entity entity.pem
? Choose a new passphrase:
? Repeat passphrase:
The key is now safely stored and encrypted inside the Oasis CLI.
oasis wallet list
ACCOUNT KIND ADDRESS
my_entity file (ed25519-raw) oasis1qpe0vnm0ahczgc353vytvtz9r829le4pjux8lc5z
Remote Signer for oasis-node
You can bind the account in your Oasis CLI wallet with a local instance of
oasis-node
. To do this, use
wallet remote-signer <account_name> <socket_path>
, pick the account you wish
to expose and provide a path to the new unix socket:
oasis wallet remote-signer oscar /datadir/oasis-oscar.socket
Unlock your account.
? Passphrase:
Address: oasis1qp87hflmelnpqhzcqcw8rhzakq4elj7jzv090p3e
Node Args:
--signer.backend=remote \
--signer.remote.address=unix:/datadir/oasis-oscar.socket
*** REMOTE SIGNER READY ***
Test Accounts
Oasis CLI comes with the following hardcoded test accounts:
test:alice
: Ed25519 test account used by Oasis core teststest:bob
: Ed25519 test account used by Oasis core teststest:charlie
: Secp256k1 test accounttest:cory
: Ed25519 account used byoasis-net-runner
test:dave
: Secp256k1 test accounttest:erin
: Sr25519 test accounttest:frank
: Sr25519 test account
Private keys for these accounts are well-known. Do not fund them on public networks, because anyone can drain them!
We suggest that you use these accounts for Localnet development or for
reproducibility when you report bugs to the Oasis core team. You can access the
private key of a test account the same way as you would for ordinary accounts
by invoking the oasis wallet export
command.