sigp · antondlr · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025
diff --git a/.github/wordlist.txt b/.github/wordlist.txt
@@ -123,3 +123,12 @@ Callouts
 nav
 dev
 reviewable
+BIP
+derivation
+HKDF
+mnemonic
+mnemonics
+cryptographically
+deterministic
+randomize
+XOR
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/anchor/keygen/Cargo.toml b/anchor/keygen/Cargo.toml
@@ -6,13 +6,17 @@ authors = ["Sigma Prime <contact@sigmaprime.io>"]
 
 [dependencies]
 base64 = { workspace = true }
+bip39 = "2.0.0"
 clap = { workspace = true }
 global_config = { workspace = true }
+hkdf = "0.12.4"
 openssl = { workspace = true }
 operator_key = { workspace = true }
+rand = { workspace = true }
 rpassword = "7.4.0"
 serde = { workspace = true }
 serde_json = { workspace = true }
+sha2 = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 zeroize = { workspace = true }
diff --git a/anchor/keygen/README.md b/anchor/keygen/README.md
@@ -22,6 +22,39 @@ This creates:
 
 Make sure to provide the password via `--password-file` when running the Anchor node, or input it at startup. 
 
+## Deterministic Key Generation
+
+Generate deterministic RSA keys from BIP39 mnemonic seeds. This allows you to recreate the same keys deterministically from a mnemonic phrase.
+
+### Generate with new mnemonic
+```bash
+anchor keygen --deterministic
+```
+This will generate a new 24-word BIP39 mnemonic and derive an RSA key from it. **Save the mnemonic phrase securely** as you'll need it to regenerate the same key.
+
+### Generate from existing mnemonic
+```bash
+anchor keygen --deterministic --mnemonic "your twelve or twenty four word mnemonic phrase here"
+```
+
+### Generate from mnemonic file
+```bash
+anchor keygen --deterministic --mnemonic-file /path/to/mnemonic.txt
+```
+
+### Multiple keys from same mnemonic
+You can generate different keys from the same mnemonic using the derivation index:
+```bash
+anchor keygen --deterministic --mnemonic "your mnemonic..." --index 0  # First key
+anchor keygen --deterministic --mnemonic "your mnemonic..." --index 1  # Second key
+```
+
+### Deterministic + Encryption
+Combine deterministic generation with password protection:
+```bash
+anchor keygen --deterministic --encrypt --mnemonic "your mnemonic..."
+```
+
 ## Custom Output Directory
 ```bash
 anchor keygen --data-dir path/to/directory
@@ -32,4 +65,19 @@ anchor keygen --data-dir path/to/directory
 anchor keygen --force
 ```
 
+# Deterministic Key Generation Details
+
+The deterministic key generation uses:
+- **BIP39** mnemonic phrases (12 or 24 words)
+- **HKDF-SHA256** for key material derivation
+- **Cryptographically secure prime generation** with deterministic starting points
+
+This method ensures:
+- Same mnemonic + index always produces the same RSA key
+- Different indices produce different keys from the same mnemonic
+- Keys are cryptographically secure and suitable for production use
+- Full compatibility with BIP39 standards
+
+**Security Note**: Keep your mnemonic phrase secure and backed up. Anyone with the mnemonic can regenerate your keys.
+