Identities and PEM Files

When we interact with the Internet Computer (IC), we use a principal for authentication. In fact, a principal is just a transformed version of a public key that is derived from a private key according to a Digital Signature Scheme.

For more detailed information about digital signatures, consult the IC Interface specification

Users of applications on the IC, will typically use Internet Identity (or some other authentication tool like a hardware of software wallet) to manage and store private keys and generate signatures to sign calls and authenticate to services.

As a developer and user of dfx, you will work with private keys directly. This maybe for testing purposes, where you might want to generate many private keys to emulate many identities, or for deployment purposes, where you may want to have several developer identities that you control, store and backup.

Default identity in dfx

dfx automatically generates a default private key and stores it in a file .config/dfx/identity/default/identity.pem. The private key inside looks like this:


This private key is stored in either encrypted or unencrypted form on your hard disk. In the case of an encrypted private key, you need to enter a password each time you want to use the key. Otherwise, the private key is stored in 'raw' form. Be careful, this is very insecure!

Generating a new identity

We can generate a new identity with dfx by running

dfx identity new NAME

where NAME is the new name for your new identity. You will be prompted for a password.

For development, it might be useful to have 'throw away keys' without a password for easy testing of dfx features. For this we could run

dfx identity new NAME --storage-mode=plaintext

This will immediately generate a new private key and store it in folder in .config/dfx/identity/.

Managing identities

Once we have multiple identities, we can list them by running

dfx identity list

This gives us a list of identities that are stored in .config/dfx/identity/. The currently selected identity will have an asterisk *.

We could switch between them by running

dfx identity use NAME

where name is the identity we want to switch to.

Anonymous identity

Besides the default identity (which is unique), dfx also allows us to use the anonymous identity to interact with our canisters. To switch to the anonymous identity we run

dfx identity use anonymous