43

when I use the web3 interface to sign on msgs, it tell me that the account should be unlocked, how can I manage this with geth and what exactly does unlocking mean?

Wang
  • 2,416
  • 4
  • 19
  • 28
  • I tried this command geth --unlock "ACCOUNT_PUBLIC_ADDRESS" --password "PASSWORD" ang got the error: account unlock with http access is forbidden Then i tried to unlock account by typing this command personal.unlockAccount(eth.accounts[0], '1234' ,9000) on javascript console but still got the same error: account unlock with http access is forbidden – Haseeb Ahmad Sep 13 '19 at 10:48

3 Answers3

56

By default, your accounts in Geth are "locked," which means that you can't send transactions from them. You need to unlock an account in order to send transactions from it through Geth directly or via RPC (though web3 does not support this). In order to unlock an account, you'll need to provide the password, which is used to decrypt the private key associated with your account, hence allowing you to sign transactions.

With that being said, how do you unlock an account? There are a couple different ways you can do it, which are highlighted in the Geth documentation. I'll provide an overview:

  1. Unlock account when you run Geth. The password parameter is optional. If you don't provide it, you'll be prompted to type in the password.

    geth --unlock <YOUR_ACCOUNT_ADDRESS> --password <YOUR_PASSWORD>

  2. Unlock account from the Geth interactive Javascript console. Again, the password is optional. If you don't provide it, you'll be prompted to type it in. Note that in earlier versions of Geth, providing the password as a parameter would cause the password to show up in the Geth log, which may be a security concern.

    personal.unlockAccount(address, "password")

Community
  • 1
Zack Coburn
  • 726
  • 6
  • 5
  • 8
    It should be noted that entering the password non-interactivly stores the password in plaintext in the console history. This should really not be used as it opens up an attack vector. – tayvano May 22 '16 at 02:06
  • 1
    geth --unlock is the way to do it, i guess web3 will log all of your inputs in log – niksmac May 22 '16 at 03:18
  • 1
    I make the command like this "geth --unlock (0x3b3F14690C8Fb8b1B333Ff38961bdEEa658a3873)", but it tells me that "invalid account address or index '(0x3b3F14690C8Fb8b1B333Ff38961bdEEa658a3873)'", why? – Wang May 22 '16 at 04:28
  • 3
    remove the brackets, then it should work: geth --unlock 0x3b3F14690C8Fb8b1B333Ff38961bdEEa658a3873 Not that this is prompting you for a password and the prompt for the password might be hidden somewhere in the mass of output during geth startup, e.g. Unlocking account 0xb2... | Attempt 1/3 Passphrase: I0522 12:30:46.360237 node/node.go:298] IPC endpoint opened: /home/someone/.ethereum/geth.ipc I0522 12:30:46.836509 p2p/nat/nat.go:111] mapped network port tcp:30303 -> 30303 (ethereum p2p) using UPNP IGDv1-IP11 (Try to find the word Passphrase in the above output ;) ) – SCBuergel May 22 '16 at 10:32
  • 1
    you could also use a file for your password like : --unlock "0x4ae4ddbf073ff57e5861490d72f9177d9039428a" --password "d:\p.txt" – Badr Bellaj Nov 29 '16 at 13:32
  • 1
    The proper way to unlock account in geth is geth unlock 0x4ae4ddbf073ff57e5861490d72f9177d9039428a,0x4ae4ddbf073ff57e5861490d72f9177d9039428b,0x4ae4ddbf073ff57e5861490d72f9177d9039428c --password . passwordFile should contain the password , one password in each line . – Himanshu sharma Jan 16 '17 at 06:52
  • 2
    So if you can unlock it, how do you lock it again? :p – Kebman Aug 15 '17 at 21:23
  • @Kebman you can specify time to keep it unlocked – tatigo Nov 08 '17 at 20:54
  • 1
    @kebman using attach or console: personal.unlockAccount(address, "password", 0) to leave unlocked till you re-lock it manually. personal.unlockAccount(address, "password", 300) to auto-lock after 300 seconds. You can of course add password but it's not recommended. (Nor keeping it unlocked indefinitely.) personal.lockAccount() usually works these days to lock manually.. – B. Shea Dec 30 '17 at 00:19
  • 2
    @bshea Note that if you wish to use the automatic relock but don't want to pass your password as a parameter, you can also use personal.unlockAccount("address", undefined, 300) – Nulano Apr 04 '18 at 15:43
  • 1
    Note: if you got "Account unlock with HTTP access is forbidden!" You should run Geth node over https or (NOT FOR PRODUCTION) run with extra parameter: --allow-insecure-unlock – Andrei Sep 25 '19 at 17:41
10

Just to add to the excellent accepted answer.

You can also unlock the account from Web3 directly:

web3.personal.unlockAccount('0xE0ca...c1f7', 'mypass')

And lock it back:

web3.personal.lockAccount('0xE0ca...c1f7')

For more details refer to the web3-eth-personal module.

what exactly does unlocking mean?

A Geth node implementation contains built-in account management, that is, it maintains the account's private key, which is stored on disk in encrypted form. Unlocking an account means decrypting its private key and storing it in memory (it is never stored decrypted on disk).

⚠ This means you should take extra care not to allow anyone access your Geth node via HTTP-RPC, WS-RPC or IPC, because these interfaces allow transferring ether from any unlocked account! ⚠

rustyx
  • 910
  • 7
  • 15
0

web3.personal.unlockAccount('prviatekey'); should work without the address param

Code Tree
  • 140
  • 3