Skip to content

Running an Anchor SSV Operator

What is an SSV Operator

An SSV operator is a node that holds shares of validators' keys and participates in committees to perform Ethereum validation duties. The SSV network enables distributed validation where multiple operators collectively validate without any single operator having access to the complete validator key.

If you want to migrate an existing key from the Golang implementation of SSV, you can directly proceed to Step 3 or check out the dedicated migrating to anchor section.

Client Dependencies

Anchor requires access to an Ethereum Consensus Beacon Node (via the HTTP API) and to an execution client via BOTH the HTTP API and Websockets (WS) protocols.

Consensus Clients

All consensus clients have the required http API. Generally they need to be enabled via the CLI. For example with Lighthouse, the client needs to be run with the --http flag:

lighthouse bn ... --http --http-address 0.0.0.0

The http-address may be required if Anchor is accessing the beacon node from another computer.

Execution Clients

For Anchor to function with an execution client, it requires access to both the HTTP API and its websockets API. These can generally be enabled similarly to beacon nodes via CLI flags. For example, for go-ethereum, the following flags can enable these:

geth ... --http --http.addr "0.0.0.0" --http.corsdomain "*" --ws --ws.origins "*" --ws.addr
"0.0.0.0"

It is important to note that only the --http and --ws flags are necessary. The other flags are added here as they may help when connecting to the node remotely. These have important security ramifications and should only be set if needed. Check each clients documentation to ensure which flags are needed for your specific setup.

Setting up Anchor

Step 1: Generate RSA keys

Anchor includes a key generation tool to create the RSA keys needed for operator identity:

# Generate unencrypted keys (for development)
anchor keygen
 
# Generate encrypted keys (recommended for production)
anchor keygen --encrypt --data-dir /path/to/keys/directory

This will generate:

  • Your private key. If you choose to not encrypt your key, the file will be called private_key.txt. For encrypted keys, the file will be called encrypted_private_key.json.
  • The public key output in the console and a file called public_key.txt.

Save your public key as you'll need it for on-chain registration. Back up your key as it cannot be restored if lost!

Step 2: Register as an Operator on the SSV Network

To register an operator, follow the instructions in the official ssv docs.

Step 3: Configure and run your Anchor node

Create a directory for Anchor-related data and move the generated private key into the directory. By default, Anchor uses ~/.anchor/<network>, where <network> is mainnet, hoodi or holesky. We use hoodi below:

mkdir -p ~/.anchor/hoodi
 
mv encrypted_private_key.json ~/.anchor/hoodi/

Use the CLI Reference or --help to launch the node. If you use an encrypted key, you must specify the password via a password file or interactively input it when starting the node.

anchor node \
  --network hoodi \
  --datadir ~/.anchor/hoodi \
  --beacon-nodes http://localhost:5052 \
  --execution-rpc http://localhost:8545 \
  --execution-ws ws://localhost:8546 \
  --password-file /path/to/file

All options used in this example (except for the password-file) are actually used with the default values and can therefore be omitted, or adjusted to your setup.

The Anchor node will use the same ports as used by Go-SSV unless explicitly overridden. See Advanced Networking for more information