Setup Full Node

This document details how to join the Secret Network secret-4 mainnet as a full node. Once your full node is running and state synced to the current block, you can turn it into a validator in the optional last step.


Secret Network has strict Hardware Requirements. If your machine does not meet them, it will *NOT* work as a node.
  • Ubuntu/Debian host (with ZFS or LVM to be able to add more storage easily)
  • A public IP address
  • Open ports TCP 26656 & 26657 Note: If you're behind a router or firewall then you'll need to port forward on the network device.
  • RPC address of an already active node. You can use any node that exposes RPC services.
  • Refer to Intel Processor Specifications if you're unsure if your processor supports SGX

Minimum Requirements

  • 32GB RAM
  • 512GB SDD
  • 1 dedicated core of any Intel Skylake processor (Intel® 6th generation) or better (Xeon gen3 (Ice Lake) NOT supported)
  • Motherboard with support for SGX in the BIOS
  • 32GB RAM
  • 1TB NVMe SSD
  • 2 dedicated cores of any Intel Skylake processor (Intel® 6th generation) or better (Xeon gen3 (Ice Lake) NOT supported)
  • Motherboard with support for SGX in the BIOS


Install SGX and secretd

This guide assumes you've already installed the latest version of secretd and SGX. To setup an archive node, you must follow the Archive Nodes instructions.
For more information on SGX, see instructions for SGX Installation and Verifying SGX. See Node Registration Information if you'd like a more comprehensive overview on what's happening in these steps.

Initialize Secret Network Configs

Choose a moniker for yourself, and replace <MONIKER> with your moniker below. This moniker will serve as your public nickname in the network.
secretd init <MONIKER> --chain-id secret-4
This will generate the following files in ~/.secretd/config/
  • genesis.json
  • node_key.json
  • priv_validator_key.json

Download genesis.json

The genesis file is how other nodes on the network know what network you should be on.
wget -O ~/.secretd/config/genesis.json ""
# verify genesis.json checksum
echo "759e1b6761c14fb448bf4b515ca297ab382855b20bae2af88a7bdd82eb1f44b9 $HOME/.secretd/config/genesis.json" | sha256sum --check

Initialize Secret Enclave

Initialize /opt/secret/.sgx_secrets:
mkdir -p /opt/secret/.sgx_secrets
You can choose between two methods, automatic or manual:

Initialize Secret Enclave - Automatic Registration (EXPERIMENTAL)

WARNING: This method is experimental, and may not work. If it doesn't work, skip to manual registration.
The following commands will create the necessary environment variables and attempt to automatically register the node.
export SCRT_ENCLAVE_DIR=/usr/lib
export SCRT_SGX_STORAGE=/opt/secret/.sgx_secrets
secretd auto-register
If this step was successful, you can skip straight to Optimization.

Initialize Secret Enclave - Manual Registration

secretd init-enclave

Verify Enclave Initialization

The attestation certificate should have been created by the previous step
ls -lh /opt/secret/.sgx_secrets/attestation_cert.der
Verify the certificate is valid. A 64-character registration key will be printed if it was successful.
PUBLIC_KEY=$(secretd parse /opt/secret/.sgx_secrets/attestation_cert.der 2> /dev/null | cut -c 3-)
If registration was NOT succesfull consider checking out the Registration troubleshooting help or contact a fellow validator on our discord.

Configure secretd

The following steps should use secretd be ran on the full node itself. To run the steps with secretd on a local machine, set up the CLI there.
Configure secretd. Initially you'll be using the bootstrap node, as you'll need to connect to a running node and your own node is not running yet.
secretd config chain-id secret-4
secretd config node
secretd config output json

Fund Secret Wallet

If you already have a wallet funded with SCRT, you can import the wallet by doing the following:
secretd keys add <key-alias> --recover
Otherwise, you will need to set up a key. Make sure you back up the mnemonic and the keyring password.
secretd keys add <key-alias>
This will output your address, a 45 character-string starting with secret1....

Configure Node Attestation

  1. 1.
    Register your node on-chain
secretd tx register auth /opt/secret/.sgx_secrets/attestation_cert.der -y --from <key-alias>
2. Pull & check your node's encrypted seed from the network
SEED=$(secretd query register seed $PUBLIC_KEY | cut -c 3-)
echo $SEED
3. Get additional network parameters
These are necessary to configure the node before it starts.
secretd query register secret-network-params
ls -lh ./io-master-key.txt ./node-master-key.txt

Configure Secret Node

From here on, commands must be ran on the full node.
mkdir -p ~/.secretd/.node
secretd configure-secret node-master-key.txt $SEED


In order to be able to handle NFT minting and other Secret Contract-heavy operations, it's recommended to update your SGX memory enclave cache:
sed -i.bak -e "s/^contract-memory-enclave-cache-size *=.*/contract-memory-enclave-cache-size = \"15\"/" ~/.secretd/config/app.toml
Also checkout this document by block pane for fine tuning your machine for better uptime.

Set minimum-gas-price Parameter

We recommend 0.0125uscrt per gas unit:
perl -i -pe 's/^minimum-gas-prices = .+?$/minimum-gas-prices = "0.0125uscrt"/' ~/.secretd/config/app.toml
Your node will not accept transactions that specify --fees lower than the minimun-gas-price you set here.

Enable secret-node:

Note that the secret-node system file is created when installing sgx.
sudo systemctl enable secret-node && sudo systemctl start secret-node
If everything above worked correctly, the following command will show your node streaming blocks (this is for debugging purposes only, kill this command anytime with Ctrl-C).
journalctl -f -u secret-node
-- Logs begin at Mon 2020-02-10 16:41:59 UTC. --
Nov 09 11:16:31 scrt-node-01 secretd[619529]: 11:16AM INF indexed block height=12 module=txindex
Nov 09 11:16:35 scrt-node-01 secretd[619529]: 11:16AM INF Ensure peers module=pex numDialing=0 numInPeers=0 numOutPeers=0 numToDial=10
Nov 09 11:16:35 scrt-node-01 secretd[619529]: 11:16AM INF No addresses to dial. Falling back to seeds module=pex
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF Timed out dur=4983.86819 height=13 module=consensus round=0 step=1
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF received proposal module=consensus proposal={"Type":32,"block_id":{"hash":"0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4","parts":{"hash":"58F6211ED5D6795E2AE4D3B9DBB1280AD92B2EE4EEBAA2910F707C104258D2A0","total":1}},"height":13,"pol_round":-1,"round":0,"signature":"eHY9dH8dG5hElNEGbw1U5rWqPp7nXC/VvOlAbF4DeUQu/+q7xv5nmc0ULljGEQR8G9fhHaMQuKjgrxP2KsGICg==","timestamp":"2021-11-09T11:16:36.7744083Z"}
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF received complete proposal block hash=0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4 height=13 module=consensus
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF finalizing commit of block hash=0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4 height=13 module=consensus num_txs=0 root=E4968C9B525DADA22A346D5E158C648BC561EEC351F402A611B9DA2706FD8267
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF minted coins from module account amount=6268801uscrt from=mint module=x/bank
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF executed block height=13 module=state num_invalid_txs=0 num_valid_txs=0
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF commit synced commit=436F6D6D697449447B5B373520353520323020352032342031312032333820353320383720313137203133372031323020313638203234302035302032323020353720343520363620313832203138392032333920393920323439203736203338203131322035342032332033203233362034375D3A447D
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF committed state app_hash=4B371405180BEE3557758978A8F032DC392D42B6BDEF63F94C2670361703EC2F height=13 module=state num_txs=0
You are now a full node. 🎉

Get Node ID

secretd tendermint show-node-id
And publish yourself as a node with this ID:
Be sure to point your CLI to your running node instead of the bootstrap node
secretcli config node tcp://localhost:26657
If someone wants to add you as a peer, have them add the above address to their persistent_peers in their ~/.secretd/config/config.toml.
And if someone wants to use your node from their secretcli then have them run:
secretcli config chain-id secret-4
secretcli config output json
secretcli config indent true
secretcli config node tcp://<your-public-ip>:26657


To sync to head quickly, please see Snapshot.

State Sync

You can skip syncing from scratch or download a snapshot by State Syncing to the current block.

Optional: Become a Validator

To turn your full node into a validator, see Joining Mainnet as a Validator.