LinuxCommandLibrary

zerotier-idtool

Generate ZeroTier identities

TLDR

Generate a new ZeroTier identity and output the secret part to stdout

$ zerotier-idtool generate
copy

Generate a new ZeroTier identity and save the secret and public parts to files
$ zerotier-idtool generate [path/to/identity.secret] [path/to/identity.public]
copy

Generate a new ZeroTier identity with a specific hexadecimal vanity prefix (can take a long time)
$ zerotier-idtool generate [path/to/identity.secret] [path/to/identity.public] [vanity_prefix]
copy

Extract the public portion from a secret identity
$ zerotier-idtool getpublic [path/to/identity.secret]
copy

Sign a file using a secret identity
$ zerotier-idtool sign [path/to/identity.secret] [path/to/file]
copy

Verify a signed file using a public identity and a hexadecimal signature
$ zerotier-idtool verify [path/to/identity.public] [path/to/file] [signature_hex]
copy

Locally validate an identity's key and proof of work
$ zerotier-idtool validate [path/to/identity.public]
copy

Display help
$ zerotier-idtool help
copy

SYNOPSIS

zerotier-idtool subcommand <arguments>...

PARAMETERS

generate <public_file> <private_file> <secret_file>
    Generate random identity: 256-bit public key, 10-byte private seed, 24-byte secret.

signroot <signer_public> <signer_private> <root_file>
    Sign JSON root_file with identity; output signed root to stdout.

verifyroot <root_file> <verifier_public>
    Verify root signature against public key; exit 0 if valid.

dump <file>
    Output JSON dump of identity.public or signed root file.

DESCRIPTION

zerotier-idtool is a command-line utility from the ZeroTier One suite, used for cryptographic identity operations in ZeroTier virtual networks. ZeroTier creates secure, software-defined networks using Curve25519 elliptic curve cryptography for authentication, encryption, and network authorization. This tool handles key generation, root signing for network controllers, signature verification, and data dumping.

It generates identity triples: a 256-bit public key (identity.public, 40 hex chars), a 10-byte private seed (identity.private, 20 hex chars), and a 24-byte handshake secret (identity.secret, 48 hex chars). Controller identities sign root files—JSON descriptions of network rules, world IDs, and stable endpoints—which peers use to authorize network membership.

Essential for custom controllers or self-hosted setups, it ensures tamper-proof network configs. Nodes verify roots against trusted controller public keys during joins. The tool outputs to stdout for signing/dumping, enabling piping. Errors exit non-zero, aiding scripting.

Protect private files rigorously, as they derive node identities. Widely used in enterprise VPN alternatives, IoT, and SD-WAN deployments.

CAVEATS

Private files are sensitive; store securely.
Files must be exact hex lengths or fail silently.
Signing outputs to stdout; redirect to save.
No global options; subcommands only.

FILE FORMATS

identity.public: 40 hex chars.
identity.private: 20 hex chars (seed).
identity.secret: 48 hex chars (salt).
root: JSON with "id", "signingKey", rules.

HISTORY

Developed by ZeroTier, Inc. since 2014 with ZeroTier One v1.0. Evolved for SDN security; current in v1.12+. Open-source under BSL.

SEE ALSO

zerotier-cli(1), zerotier-one(8)

Copied to clipboard