π Site Β· π Docs Β· π¦ crates.io package Β· π¬ Cryptuon Research
Policy-enforcing trust boundary for PoS validators.
Nklave is a signing security layer that makes slashable signing impossible by construction. It sits between validator clients and signing keys, enforcing slashing-prevention rules before any signature is produced.
βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ βββββββββββββββββββ
β Validator Clientβ β Nklave β β Signing Keys β
β β Sign β βββββββββββββββββββββββββββββ β β β
β - Lighthouse β βββββββΆ β β Policy Engine β β βββββββΆ β - BLS (ETH2) β
β - Teku β β β βββββββββββββββββββββββ β β β - Ed25519 β
β - Prysm β βββββββ β β β Slashing Protection β β β βββββββ β (Cosmos) β
β - Lodestar β Sig/ β β βββββββββββββββββββββββ β β Sign β β
β β Refuse β βββββββββββββββββββββββββββββ β β β
βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ βββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β Append-Only Log β
β + Checkpoints β
βββββββββββββββββββββββββ
docker run -p 9000:9000 ghcr.io/cryptuon/nklavecargo install nklave-server
nklave --keys-dir ./keys --data-dir ./datagit clone https://github.com/cryptuon/nklave
cd nklave
docker compose -f docker/docker-compose.yml up- Web3Signer Compatible - Drop-in replacement for existing validator setups
- Slashing Protection - Enforces EIP-3076 and custom rules at the signing layer
- Multi-Chain - Ethereum (BLS), Cosmos/CometBFT (Ed25519), extensible to others
- Audit Trail - Append-only decision logs with cryptographic chaining
- State Integrity - Rollback-resistant checkpoints prevent state manipulation
- Embedded UI - Vue.js dashboard for monitoring and operations
- High Availability - Primary/passive replication with automatic failover
| Crate | Description |
|---|---|
nklave-core |
Core signing logic, BLS/Ed25519 keys, slashing protection rules |
nklave-api |
Web3Signer-compatible HTTP API with embedded UI |
nklave-storage |
Append-only logs, checkpoints, EIP-3076 interchange |
nklave-server |
Main server binary with TLS, metrics, configuration |
nklave-cosmos |
Cosmos/CometBFT remote signer protocol |
nklave-cli |
CLI tools for key management and operations |
# Health checks
GET /livez # Liveness probe
GET /readyz # Readiness probe
GET /health # Detailed health status
# Web3Signer API
GET /api/v1/eth2/publicKeys # List validator public keys
POST /api/v1/eth2/sign/:pubkey # Sign a message
# Admin
POST /reload # Reload keys from disk
GET /status # Server status
POST /admin/checkpoint # Force checkpointEnvironment variables:
| Variable | Default | Description |
|---|---|---|
NKLAVE_LISTEN_ADDR |
127.0.0.1:9000 |
Server listen address |
NKLAVE_KEYS_DIR |
./keys |
Validator keystores directory |
NKLAVE_DATA_DIR |
./data |
State and logs directory |
NKLAVE_KEYSTORE_PASSWORD |
- | Password for encrypted keystores |
NKLAVE_API_TOKENS |
- | Comma-separated bearer tokens |
NKLAVE_METRICS_ADDR |
- | Prometheus metrics endpoint |
RUST_LOG |
nklave=info |
Log level |
Full documentation at docs.cryptuon.com/nklave:
Contributions are welcome. Please open an issue to discuss significant changes before submitting a PR.
# Run tests
cargo test --all
# Run with coverage
cargo llvm-cov --all-features
# Run benchmarks
cargo bench -p nklave-coreMIT License - Cryptuon Research Β· contact@cryptuon.com
nklave is one of 20 open-source blockchain-infrastructure projects from Cryptuon Research β blockchain theory, shipped as protocols.
Related projects: Tesseract Β· Switchboard Β· StreamSync
Docs: docs.cryptuon.com/nklave Β· Contact: contact@cryptuon.com