How To Join Secret Network as a Full Node on Testnet

This document details how to join the Secret Network testnet as a full node. Once your full node is running, you can turn it into a validator in the optional last step.


  • Ubuntu/Debian host (with ZFS or LVM to be able to add more storage easily)
  • A public IP address
  • Open ports TCP 26656 & 26657Note: If you're behind a router or firewall then you'll need to port forward on the network device.
  • Reading
  • RPC address of an already active node. You can use, or any other node that exposes RPC services.

Minimum requirements

  • 1GB RAM
  • 100GB HDD
  • 1 dedicated core of any Intel Skylake processor (Intel® 6th generation) or better
  • 2GB RAM
  • 256GB SSD
  • 2 dedicated cores of any Intel Skylake processor (Intel® 6th generation) or better
  • Motherboard with support for SGX in the BIOS

Refer to if unsure if your processor supports SGX


0. Step up SGX on your local machine

See instructions for setup and verification.

1. Download the Secret Network package installer for Debian/Ubuntu:


(How to verify releases)

2. Install the package:

sudo dpkg -i secretnetwork_0.8.1_amd64.deb

3. Initialize your installation of the Secret Network.

Choose a moniker for yourself, and replace <MONIKER> with your moniker below. This moniker will serve as your public nickname in the network.

secretd init <MONIKER> --chain-id enigma-pub-testnet-4

4. Download a copy of the Genesis Block file: genesis.json

wget -O ~/.secretd/config/genesis.json ""

5. Validate the checksum for the genesis.json file you have just downloaded in the previous step:

echo "0ccbe047a8dbdc43ee2f3de74f7a26fc36376aec130b8813ac76a1f95e5a6e8f $HOME/.secretd/config/genesis.json" | sha256sum --check

6. Validate that the genesis.json is a valid genesis file:

secretd validate-genesis

7. The rest of the commands should be ran from the home folder (/home/<your_username>)

cd ~

8. Initialize secret enclave

Make sure the directory ~/.sgx_secrets exists:

mkdir -p ~/.sgx_secrets

Make sure SGX is enabled and running or this step might fail.

export SCRT_ENCLAVE_DIR/usr/lib
secretd init-enclave 

9. Check that initialization was successful

Attestation certificate should have been created by the previous step

ls -lh ./attestation_cert.der

10. Check your certificate is valid

Should print your 64 character registration key if it was successful.

PUBLIC_KEY$(secretd parse attestation_cert.der 2> /dev/null | cut -c 3-)

11. Config secretcli, generate a key and get some test-SCRT from the faucet

The steps using secretcli can be run on any machine, they don't need to be on the full node itself. We'll refer to the machine where you are using secretcli as the "CLI machine" below.

To run the steps with secretcli on another machine, set up the CLI there.

Configure secretcli. Initially you'll be using the bootstrap node, as you'll need to connect to a running node and your own node is not running yet.

secretcli config chain-id enigma-pub-testnet-4
secretcli config node tcp://
secretcli config output json
secretcli config indent true
secretcli config trust-node true

Set up a key. Make sure you backup the mnemonic and the keyring password.

secretcli keys add $INSERT_YOUR_KEY_NAME

This will output your address, a 45 character-string starting with secret1.... Copy/paste it to get some test-SCRT from the faucet . Continue when you have confirmed your account has some test-SCRT in it.

12. Register your node on-chain

Run this step on the CLI machine. If you're using different CLI machine than the full node, copy attestation_cert.der from the full node to the CLI machine.

secretcli tx register auth <path/to/attestation_cert.der> --from $INSERT_YOUR_KEY_NAME --gas 250000

13. Pull & check your node's encrypted seed from the network

Run this step on the CLI machine.

SEED$(secretcli query register seed "$PUBLIC_KEY" | cut -c 3-)
echo $SEED

14. Get additional network parameters

Run this step on the CLI machine.

These are necessary to configure the node before it starts.

secretcli query register secret-network-params
ls -lh ./io-master-cert.der ./node-master-cert.der

If you're using different CLI machine than the validator node, copy node-master-cert.der from the CLI machine to the validator node.

15. Configure your secret node

From here on, run commands on the full node again.

mkdir -p ~/.secretd/.node
secretd configure-secret node-master-cert.der "$SEED"

16. Add persistent peers to your configuration file.

You can also use Enigma's node:

perl -i -pe 's/persistent_peers  ""/persistent_peers  "115aa0a629f5d70dd1d464bc7e42799e00f4edae\"/' ~/.secretd/config/config.toml

17. Listen for incoming RPC requests so that light nodes can connect to you:

perl -i -pe 's/laddr  .+?26657"/laddr  "tcp:\/\/"/' ~/.secretd/config/config.toml

18. Enable secret-node as a system service:

sudo systemctl enable secret-node

19. Start secret-node as a system service:

sudo systemctl start secret-node

20. If everything above worked correctly, the following command will show your node streaming blocks (this is for debugging purposes only, kill this command anytime with Ctrl-C):

journalctl -f -u secret-node
-- Logs begin at Mon 2020-02-10 16:41:59 UTC. --
Feb 10 21:18:34 ip-172-31-41-58 secretd[8814]: I[2020-02-10|21:18:34.307] Executed block                               modulestate height2629 validTxs0 invalidTxs0
Feb 10 21:18:34 ip-172-31-41-58 secretd[8814]: I[2020-02-10|21:18:34.317] Committed state                              modulestate height2629 txs0 appHash34BC6CF2A11504A43607D8EBB2785ED5B20EAB4221B256CA1D32837EBC4B53C5
Feb 10 21:18:39 ip-172-31-41-58 secretd[8814]: I[2020-02-10|21:18:39.382] Executed block                               modulestate height2630 validTxs0 invalidTxs0
Feb 10 21:18:39 ip-172-31-41-58 secretd[8814]: I[2020-02-10|21:18:39.392] Committed state                              modulestate height2630 txs0 appHash17114C79DFAAB82BB2A2B67B63850864A81A048DBADC94291EB626F584A798EA
Feb 10 21:18:44 ip-172-31-41-58 secretd[8814]: I[2020-02-10|21:18:44.458] Executed block                               modulestate height2631 validTxs0 invalidTxs0
Feb 10 21:18:44 ip-172-31-41-58 secretd[8814]: I[2020-02-10|21:18:44.468] Committed state                              modulestate height2631 txs0 appHashD2472874A63CE166615E5E2FDFB4006ADBAD5B49C57C6B0309F7933CACC24B10

You are now a full node. 🎉

21. Get your node ID with:

secretd tendermint show-node-id

And publish yourself as a node with this ID:


Be sure to point your CLI to your running node instead of the bootstrap node

secretcli config node tcp://localhost:26657

If someone wants to add you as a peer, have them add the above address to their persistent_peers in their ~/.secretd/config/config.toml.

And if someone wants to use your node from their secretcli then have them run:

secretcli config chain-id enigma-pub-testnet-4
secretcli config output json
secretcli config indent true
secretcli config node tcp://<your-public-ip>:26657

22. Optional: make your full node a validator

Your full node is now part of the network, storing and verifying chain data and Secret Contracts, and helping to distribute transactions and blocks. It's usable as a sentry node, for people to connect their CLI or light clients, or just to support the network.

It is however not producing blocks yet, and you can't delegate funds to it for staking. To do that that you'll have to turn it into a validator by submitting a create-validator transaction.

On the full node, get the pubkey of the node:

secretd tendermint show-validator

The pubkey is an 83-character string starting with secretvalconspub....

On the CLI machine, run the following command. The account you use becomes the operator account for your validator, which you'll use to collect rewards, participate in on-chain governance, etc, so make sure you keep good backups of the key. <moniker> is the name for your validator which is shown e.g. in block explorers.

secretcli tx staking create-validator \
  --amount<amount-to-delegate-to-yourself>uscrt \
  --pubkey<pubkey of the full node> \
  --commission-rate"0.10" \
  --commission-max-rate"0.20" \
  --commission-max-change-rate"0.01" \
  --min-self-delegation"1" \
  --moniker"<moniker>" \

The create-validator command allows using some more parameters. For more info on these and the additional parameters, run secretcli tx staking create-validator --help.

After you submitted the transaction, check you've been added as a validator:

secretcli q staking validators | grep moniker

Congratulations! You are now running a validator on the Secret Network testnet.