ReamLabs · KolbyML · Sep 19, 2025 · Aug 31, 2025 · Aug 31, 2025 · Aug 31, 2025
@@ -27,3 +27,6 @@ testing/ef-tests/mainnet/*
 
 # DS_Store: Desktop Services Store
 .DS_Store
+
+# keystore
+.keystore
@@ -72,7 +72,7 @@ alloy-rpc-types-beacon = "1.0.8"
 alloy-rpc-types-eth = "1.0.7"
 anyhow = "1.0"
 async-trait = "0.1.86"
-bip32 = "0.5.3"
+bip39 = "2.2.0"
 clap = "4"
 delay_map = "0.4.1"
 directories = { version = "6.0.0" }
@@ -86,6 +86,7 @@ eventsource-client = "0.15.0"
 futures = "0.3"
 hashbrown = "0.15.3"
 hashsig = { git = "https://github.com/b-wagn/hash-sig", rev = "287517a763edba7e518b0c1ee5beb868f26f1f66" }
+hex = "0.4"
 itertools = "0.14"
 jsonwebtoken = "9.3.1"
 kzg = { git = "https://github.com/grandinetech/rust-kzg" }

@@ -17,6 +17,7 @@ path = "src/main.rs"
 [dependencies]
 alloy-primitives.workspace = true
 anyhow.workspace = true
+bip39.workspace = true
 clap = { workspace = true, features = ["derive", "env"] }
 discv5.workspace = true
 hashbrown.workspace = true

@@ -1,10 +1,13 @@
 use anyhow::ensure;
+use bip39::Mnemonic;
 use clap::Parser;
+use tracing::info;
 
-const MIN_CHUNK_SIZE: u64 = 4;
-const MIN_LIFETIME: u64 = 18;
-const DEFAULT_ACTIVATION_EPOCH: usize = 0;
-const DEFAULT_NUM_ACTIVE_EPOCHS: usize = 1 << 18;
+const MIN_CHUNK_SIZE: u32 = 4;
+const MIN_LIFETIME: u32 = 18;
+const DEFAULT_ACTIVATION_EPOCH: u32 = 0;
+const DEFAULT_NUM_ACTIVE_EPOCHS: u32 = 1 << 18;
+const DEFAULT_KEYSTORE_PATH: &str = "./.keystore/";
 
 #[derive(Debug, Parser)]
 pub struct AccountManagerConfig {
@@ -14,23 +17,31 @@ pub struct AccountManagerConfig {
 
     /// Account lifetime in 2 ** lifetime slots
     #[arg(short, long, default_value_t = 18)]
-    pub lifetime: u64,
+    pub lifetime: u32,
 
     /// Chunk size for messages
     #[arg(short, long, default_value_t = 5)]
-    pub chunk_size: u64,
+    pub chunk_size: u32,
 
     /// Seed phrase for key generation
     #[arg(short, long)]
     pub seed_phrase: Option<String>,
 
+    /// Optional BIP39 passphrase used with the seed phrase
+    #[arg(long)]
+    pub passphrase: Option<String>,
+
     /// Activation epoch for the validator
     #[arg(long, default_value_t = DEFAULT_ACTIVATION_EPOCH)]
-    pub activation_epoch: usize,
+    pub activation_epoch: u32,
 
     /// Number of active epochs
     #[arg(long, default_value_t = DEFAULT_NUM_ACTIVE_EPOCHS)]
-    pub num_active_epochs: usize,
+    pub num_active_epochs: u32,
+
+    /// Path for keystore directory
+    #[arg(long, default_value = DEFAULT_KEYSTORE_PATH)]
+    pub path: String,
 }
 
 impl Default for AccountManagerConfig {
@@ -40,8 +51,10 @@ impl Default for AccountManagerConfig {
             lifetime: 18,
             chunk_size: 5,
             seed_phrase: None,
+            passphrase: None,
             activation_epoch: DEFAULT_ACTIVATION_EPOCH,
             num_active_epochs: DEFAULT_NUM_ACTIVE_EPOCHS,
+            path: DEFAULT_KEYSTORE_PATH.to_string(),
         }
     }
 }
@@ -60,14 +73,22 @@ impl AccountManagerConfig {
             self.lifetime >= MIN_LIFETIME,
             "Lifetime must be at least {MIN_LIFETIME}"
         );
+
         Ok(())
     }
 
     pub fn get_seed_phrase(&self) -> String {
         if let Some(phrase) = &self.seed_phrase {
             phrase.clone()
         } else {
-            "default_seed_phrase".to_string()
+            // Generate a new BIP39 mnemonic with 24 words (256 bits of entropy)
+            let entropy: [u8; 32] = rand::random();
+            let mnemonic = Mnemonic::from_entropy(&entropy).expect("Failed to generate mnemonic");
+            let phrase = mnemonic.words().collect::<Vec<_>>().join(" ");
+            info!("{}", "=".repeat(89));
+            info!("Generated new seed phrase (KEEP SAFE): {phrase}");
+            info!("{}", "=".repeat(89));
+            phrase
         }
     }
 }
@@ -1,6 +1,7 @@
 use std::{
     env, fs,
     net::SocketAddr,
+    path::Path,
     process,
     sync::Arc,
     time::{Duration, SystemTime, UNIX_EPOCH},
@@ -19,6 +20,7 @@ use ream::cli::{
     validator_node::ValidatorNodeConfig,
     voluntary_exit::VoluntaryExitConfig,
 };
+use ream_account_manager::{keystore::Keystore, message_types::MessageType};
 use ream_api_types_beacon::id::ValidatorID;
 use ream_api_types_common::id::ID;
 use ream_chain_lean::{
@@ -385,7 +387,7 @@ pub async fn run_validator_node(config: ValidatorNodeConfig, executor: ReamExecu
 /// This function initializes the account manager by validating the configuration,
 /// generating keys, and starting the account manager service.
 pub async fn run_account_manager(mut config: AccountManagerConfig) {
-    info!("starting up account manager...");
+    info!("Starting account manager...");
 
     // Validate the configuration
     config
@@ -399,17 +401,50 @@ pub async fn run_account_manager(mut config: AccountManagerConfig) {
 
     let seed_phrase = config.get_seed_phrase();
 
+    // Create keystore directory if it doesn't exist
+    let keystore_dir = Path::new(&config.path);
+    if !keystore_dir.exists() {
+        fs::create_dir_all(keystore_dir).expect("Failed to create keystore directory");
+        info!("Created keystore directory: {}", keystore_dir.display());
+    }
+
     // Measure key generation time
     let start_time = Instant::now();
-    let (_public_key, _private_key) = ream_account_manager::generate_keys(
-        &seed_phrase,
-        config.activation_epoch,
-        config.num_active_epochs,
-    );
+
+    // Generate keys sequentially for each message type
+    for (index, message_type) in MessageType::iter().enumerate() {
+        let (_public_key, _private_key) = ream_account_manager::generate_keys(
+            &seed_phrase,
+            index as u32,
+            config.activation_epoch,
+            config.num_active_epochs,
+            config.passphrase.as_deref().unwrap_or(""),
+        );
+
+        // Create keystore file using Keystore
+        let keystore = Keystore::from_seed_phrase(
+            &seed_phrase,
+            config.lifetime,
+            config.activation_epoch,
+            Some(format!("Ream validator keystore for {message_type}")),
+            Some(format!("m/44'/60'/0'/0/{index}")),
+        );
+
+        // Write keystore to file with enum name
+        let filename = message_type.to_string();
+        let keystore_file_path = keystore_dir.join(filename);
+        let keystore_json = keystore.to_json().expect("Failed to serialize keystore");
+
+        fs::write(&keystore_file_path, keystore_json).expect("Failed to write keystore file");
+
+        info!("Keystore written to path: {}", keystore_file_path.display());
+    }
     let duration = start_time.elapsed();
     info!("Key generation complete, took {:?}", duration);
 
     info!("Account manager completed successfully");
+
+    process::exit(0);
 }
 
 /// Runs the voluntary exit process.

@@ -13,7 +13,9 @@ Options:
   -l, --lifetime <LIFETIME>                    Account lifetime in 2 ** lifetime slots [default: 18]
   -c, --chunk-size <CHUNK_SIZE>                Chunk size for messages [default: 5]
   -s, --seed-phrase <SEED_PHRASE>              Seed phrase for key generation
+      --passphrase <PASSPHRASE>                Optional BIP39 passphrase used with the seed phrase
       --activation-epoch <ACTIVATION_EPOCH>    Activation epoch for the validator [default: 0]
       --num-active-epochs <NUM_ACTIVE_EPOCHS>  Number of active epochs [default: 262144]
+      --path <PATH>                            Path for keystore directory [default: ./.keystore/]
   -h, --help                                   Print help
 ```
@@ -10,11 +10,18 @@ rust-version.workspace = true
 version.workspace = true
 
 [dependencies]
+anyhow.workspace = true
+bip39.workspace = true
+chrono = { version = "0.4", features = ["serde"] }
 hashsig.workspace = true
+hex.workspace = true
 rand.workspace = true
 rand_chacha.workspace = true
+serde.workspace = true
+serde_json.workspace = true
 sha2.workspace = true
 tracing.workspace = true
+uuid = { version = "1.0", features = ["v4", "serde"] }
 
 # ream dependencies
 ream-post-quantum-crypto.workspace = true