clef

clef [options]

--help
    Print usage information

--version
    Print version number

--keystore

Clef is a standalone, secure key management tool from the Go Ethereum (Geth) suite, designed for signing Ethereum transactions without exposing private keys to client applications. It acts as a backend daemon, supporting software keystores, hardware wallets (Ledger, Trezor via USB), and rule-based signing policies. Clef integrates with Ethereum clients like Geth via IPC or STDIO, enabling external UIs for transaction approval. Key features include audit logging, 4-byte signature lookup for human-readable decoding, and EASM (Ethereum Signing Markup Language) rules for automating approvals based on conditions like value limits or contract blacklists. Security is paramount: keys remain isolated, with options for light KDF, password protection, and USB Armory support. Run it as clef in daemon mode for production use, configuring via command-line flags or config files. Ideal for developers and validators needing robust, customizable signing infrastructure.

Clef stores private keys in plaintext-encrypted keystores; use strong passwords and hardware wallets for production.
Daemon mode (--stdio-ui) requires trusted external UI to avoid phishing risks.
Not for casual use; exposes signing interface.

Run without arguments for interactive daemon; pairs with clients via IPC socket.
Use clef attach for console access.

Private keys never leave Clef process.
Supports approve/deny via UI callbacks; audit all actions.

Define signing logic in EASM files (e.g., reject high-value tx).
Example: --rules myrules.easm

Developed by the Geth team (Ethereum Foundation) around 2018 as a secure replacement for Geth's account manager. Evolved with EIP-712, hardware support, and EASM rules in subsequent releases. Now standard for secure signing in Ethereum tooling.

geth(1), eth(1)