diff --git a/cli/keyring_new.go b/cli/keyring_new.go index 0efb155810..c30e476539 100644 --- a/cli/keyring_new.go +++ b/cli/keyring_new.go @@ -32,11 +32,15 @@ func MakeKeyringNewCommand(ctx context.Context) *cobra.Command { Randomly generate and store private keys in the keyring. By default peer and encryption keys will be generated. -The DEFRA_KEYRING_SECRET environment variable must be set to unlock the keyring. -This can also be done with a .env file in the working directory or at a path -defined with the --secret-file flag. +The DEFRA_KEYRING_SECRET environment variable is used to unlock an existing +keyring. When no value is provided on a first run the keyring is initialised +with "secret" as its password, which should be rotated before putting the +node into production. The value can also be supplied through a .env file in +the working directory or at a path defined with the --secret-file flag. -WARNING: This will overwrite existing keys in the keyring.`, +Existing keys are preserved unless --force is passed; running the command +again without --force when a key already exists returns an error rather +than overwriting.`, RunE: func(cmd *cobra.Command, args []string) error { k, err := openKeyring(cmd) if err != nil { diff --git a/cli/root.go b/cli/root.go index 06840e2434..ed211e2b30 100644 --- a/cli/root.go +++ b/cli/root.go @@ -94,7 +94,9 @@ Start a DefraDB node, interact with a local or remote node, and much more. cmd.PersistentFlags().String( "keyring-path", cfg.GetString(config.ConfigFlags["keyring-path"]), - "Path to store encrypted keys when using the file backend", + "Path to store encrypted keys when using the file backend. "+ + "Relative paths are resolved against --rootdir, so the default "+ + "\"keys\" resolves to /keys (usually ~/.defradb/keys).", ) cmd.PersistentFlags().Bool( "no-keyring",