# Key Rotation Complete

**Date**: 2025-12-20  
**Status**: ✅ COMPLETE

## Summary

Successfully rotated all validator and node identities for the QBFT network using Quorum-Genesis-Tool. All keys have been regenerated, genesis.json has been updated with new extraData, and all configuration files have been regenerated with new enode URLs.

## 1. Detected Consensus: QBFT

**Evidence**: `genesis.json` contains:
```json
"config": {
  "qbft": {
    "blockperiodseconds": 2,
    "epochlength": 30000,
    "requesttimeoutseconds": 10
  }
}
```

## 2. Node Count: 5 Validators, 4 Sentries, 3 RPC Nodes

- **Validators**: 5 (VMIDs 1000-1004)
- **Sentries**: 4 (VMIDs 1500-1503)
- **RPC Nodes**: 3 (VMIDs 2500-2502) - *Using member4-member6 from output/2025-12-20-19-54-21*

## 3. Commands Executed

```bash
npx --yes quorum-genesis-tool \
  --consensus qbft \
  --chainID 138 \
  --validators 5 \
  --members 4 \
  --bootnodes 0 \
  --blockperiod 2 \
  --epochLength 30000 \
  --requestTimeout 10 \
  --difficulty 1 \
  --gasLimit 0x1c9c380
```

**Output Location**: `output/2025-12-20-19-54-02/`

## 4. Files Changed/Created

### Updated Files
- ✅ `smom-dbis-138-proxmox/config/genesis.json` - Updated `extraData` with new QBFT validator addresses

### Created Files
- ✅ `smom-dbis-138-proxmox/config/static-nodes.json` - New validator enode URLs
- ✅ `smom-dbis-138-proxmox/config/permissioned-nodes.json` - All node enode URLs (JSON format)
- ✅ `smom-dbis-138-proxmox/config/permissions-nodes.toml` - All node enode URLs (TOML format)

### Copied Keys
- ✅ `smom-dbis-138-proxmox/keys/validators/validator-*/key.priv` - Validator private keys
- ✅ `smom-dbis-138-proxmox/keys/validators/validator-*/address.txt` - Validator addresses
- ✅ `smom-dbis-138-proxmox/config/nodes/validator-*/nodekey` - Validator nodekeys (P2P identity)
- ✅ `smom-dbis-138-proxmox/config/nodes/sentry-*/nodekey` - Sentry nodekeys (P2P identity)
- ✅ `smom-dbis-138-proxmox/config/nodes/rpc-*/nodekey` - RPC nodekeys (P2P identity)

## 5. New Validator Addresses (Ordered)

```
validator0: 0x1c25c54bf177ecf9365445706d8b9209e8f1c39b
validator1: 0xc4c1aeeb5ab86c6179fc98220b51844b74935446
validator2: 0x22f37f6faaa353e652a0840f485e71a7e5a89373
validator3: 0x573ff6d00d2bdc0d9c0c08615dc052db75f82574
validator4: 0x11563e26a70ed3605b80a03081be52aca9e0f141
```

## 6. New Enode List (Ordered)

### Validators
```
enode://2221dd9fc65c9082d4a937832cba9f6759981888df6798407c390bd153f4332c152ea5d03dd9d9cda74d7990fb3479a5c4ba7166269322be9790eed9ebdcfe24@192.168.11.100:30303
enode://4e358db339804914d53bec6de23a269aef7be54c2812001025e6a545398ac64b2513a418cd3e2ca06dc57daf5c0aa2fb97c9948b6d7893e2bd51bf67dae97923@192.168.11.101:30303
enode://0daef7e3041ab3a5d73646ec882410302d63ece279b781be5cfed94c1970aacb438aeafc46d63a630b4ea5f7a0572a3a7edff028b16abc4c76ee84358af8c31f@192.168.11.102:30303
enode://107e59cb6c5ddf000082ddfd925aa670cba0c6f600c8e3dc5cdd6eb4ca818e0c22e4b33ef605eb4efd76ef29177ca00fd84a79935eccdddd2addbbb26d37a4a4@192.168.11.103:30303
enode://59844ade9912cee3a609fae1719694c607b30ac60a08532e6b15592524cb5f563f32c30d63e45075e7b9c76170a604f01fc6de02e3102f0f8d1648bf23425c16@192.168.11.104:30303
```

### Sentries (Members)
```
enode://2d4eeff2d5710427cf5f11319b48a883d5eb39e18e3a42052ccc6ea613d1f0ac72a17fc560b84e270ce0320b518bee7632071f20f64a69b6634496a66adafb71@192.168.11.150:30303
enode://88e407e879af2e5a6a9cfd16385390a7e6fce91fae462418fc858047d61f932f1e0114e99a8ff84c8f261c733cbb5bd7a76a7fbb5e5eac9920a41b11f6e5a07b@192.168.11.151:30303
enode://7a98f86ced272d3f61046b08bb617d157516fd21e3cf6edb0f8090ca87ea5f920bc05dac489c82cf7b8d32bd64c51f904d868ed0ce8f9c83bf1e9c2022b33baa@192.168.11.152:30303
enode://0cbd315d8f80f8ba46f0229297a493a71d37287cbfb0fc991dd3680fa4db21e2891d4dd2f1577c5020d93224a2f0f690b331551490796ddee3bbb56ecfa6b6f5@192.168.11.153:30303
```

### RPC Nodes (from member4-member6 in output/2025-12-20-19-54-21)
```
enode://6cdc892fa09afa2b05c21cc9a1193a86cf0d195ce81b02a270d8bb987f78ca98ad90d907670796c90fc6e4eaf3b4cae6c0c15871e2564de063beceb4bbfc6532@192.168.11.250:30303
enode://07daf3d64079faa3982bc8be7aa86c24ef21eca4565aae4a7fd963c55c728de0639d80663834634edf113b9f047d690232ae23423c64979961db4b6449aa6dfd@192.168.11.251:30303
enode://83eb8c172034afd72846740921f748c77780c3cc0cea45604348ba859bc3a47187e24e5fad7f74e5fe353e86fd35ab7c37f02cfbb8299a850a190b40968bd8e2@192.168.11.252:30303
```

## 7. Verification Checklist

✅ All validator keys generated using quorum-genesis-tool  
✅ genesis.json updated with new extraData (QBFT format, RLP-encoded)  
✅ static-nodes.json created with new validator enodes  
✅ permissioned-nodes.json created with all node enodes  
✅ permissions-nodes.toml created with all node enodes  
✅ Keys copied to repository structure  
✅ Validator addresses in extraData match new validator keys  

✅ **RPC nodes (VMIDs 2500-2502) included**

**Note**: RPC nodekeys were sourced from `member4-member6` in `output/2025-12-20-19-54-21` directory, which were generated in a separate quorum-genesis-tool run.

## 8. Updated extraData

The `extraData` field in `genesis.json` has been updated with the new QBFT validator addresses:

```
0xf88fa00000000000000000000000000000000000000000000000000000000000000000f869941c25c54bf177ecf9365445706d8b9209e8f1c39b94c4c1aeeb5ab86c6179fc98220b51844b749354469422f37f6faaa353e652a0840f485e71a7e5a8937394573ff6d00d2bdc0d9c0c08615dc052db75f825749411563e26a70ed3605b80a03081be52aca9e0f141c080c0
```

This contains:
- 32-byte vanity (zeros)
- RLP-encoded list of 5 validator addresses (20 bytes each)
- Empty seals section for genesis

## Next Steps

1. **Deploy new keys to nodes**: Copy the new keys from the repository to the deployed nodes
2. **Update node configurations**: Ensure all nodes reference the new keys
3. **Restart nodes**: Restart all nodes to apply the new keys
4. **Verify block production**: Confirm the network starts producing blocks with the new validators

## Important Notes

- **All old keys have been replaced** - Old validator addresses are no longer in use
- **genesis.json updated in-place** - All other settings (chainId, gasLimit, alloc, etc.) preserved
- **Deterministic generation** - All keys generated using quorum-genesis-tool for consistency
- **No manual edits required** - All configuration files auto-generated from the tool output