Setting up a Trustee
Trustees are a core component of PAD. PAD relies on sufficient number of Trustees acting honestly. This is a means of decentralising trust. Given their essential role, Trustees should be run by trusted individuals.
We recommend running a Trustee on a Raspberry Pi. The Trustee software will then run as a daemon and periodically queries the PAD server and responds accordingly. The procedure is simple: download the scripts; edit the configuration file; then start the Trustee daemon.
In the following sections, we assume access to the Raspberry Pi is already set up, either with a monitor and mouse or in headless mode via secure shell (SSH) (See this for a tutorial on setting up a headless Raspberry Pi).

Clone the repository

[email protected]:~$ git clone
The repository is currently private. Please email [email protected] with your GitHub account name and we will send you a licence to provide access to the repo.
The repository consists of the installer script, the NodeJS source code of the Trustee, a template configuration file config/pad-trustee.json and a service file service/pad-trustee.service that makes the Trustee a daemon.

Install node.js and npm

[email protected]:~$ sudo apt update
[email protected]:~$ sudo apt install nodejs npm
This will install Node.js and npm (Node Package Manager).

Run the installer

with the command
[email protected]:~/pad-trustee-node$ ./
where ~/pad-trustee-node is the location of the downloaded repository.
The script
  • checks if nvm (Node Version Manager) is installed
    • if not, prompts to install nvm. The user can also manually install nvm.
  • generates a random ID for the Trustee
  • generates the decryption key and signing key
  • creates directories that sit the configuration files and Trustee private keys, the source code and the service file
  • generates a configuration file with the Trustee's ID and private keys
  • installs NodeJS 14 and installs dependencies
  • most importantly, display the public details of the Trustee
Copy the last step's output of the installer. This information is required to register the Trustee on the PAD server. This is a sample output of the installer:
Trustee ID:
Trustee full name:
Trustee encryption key:
-----END PUBLIC KEY-----
Trustee verification key:
-----END PUBLIC KEY-----

Register as a Trustee

Send the information above (Trustee ID, name, and the public keys) to [email protected] Until then, the PAD server will not process requests from the Trustee.
After registration, an Operator can nominate you to be a Trustee of their instance.

Start the Trustee daemon

Reload the list of user services:
[email protected]:~/pad-trustee-node$ systemctl --user daemon-reload
Then, the Trustee daemon can be started:
[email protected]:~/pad-trustee-node$ systemctl --user start pad-trustee
The daemon should fail to start:
[email protected]:~/pad-trustee-node$ systemctl --user status pad-trustee
● pad-trustee.service - pad-trustee-node - Trustee service for Privacy-preserving Accountable Decryption (PAD)
Loaded: loaded (...; disabled; vendor preset: enabled)
Active: activating (auto-restart) since ...
Process: ...
Main PID: ...[239579]: [Symbol(kCapture)]: false,[239579]: [Symbol(kNeedDrain)]: false,[239579]: [Symbol(corked)]: 0,[239579]: [Symbol(kOutHeaders)]: [Object: null prototype][239579]: },[239579]: data: { ok: false, message: 'Unauthorized' }[239579]: },[239579]: isAxiosError: true,[239579]: toJSON: [Function: toJSON][239579]: }
This is because we are using the template API key. We should obtain at least one working Trustee API key to get the daemon running properly.

Obtain Trustee API keys

Whenever a PAD instance is created with you nominated as a Trustee, we will send you the instance name and a Trustee API key associated with the instance. You can choose to join and serve the instance or not.
To join a PAD instance as a Trustee, update the configuration file at ~/.pad-trustee/config/pad-trustee.yaml. The instances section shows the list of instances the Trustee is serving. It is a dictionary where the key is the instance name and the value contains the API key.
Remove the template instance for the first time. Afterwards, add new entries in the dictionary with the corresponding instance name and API key.
For example, suppose two instances my-pad-1.0 and my-pad-2.0 have been created by Operators, and the Trustees' API key for them are pad.api.key1 and pad.api.key2. This is how instances should look like in the configuration file:
api_key: pad.api.key1
api_key: pad.api.key2
To apply the changes, restart the Trustee daemon:
[email protected]:~/pad-trustee-node$ systemctl --user restart pad-trustee

Query Trustee status

You can query the Trustee daemon's status using systemctl:
[email protected]:~/pad-trustee-node$ systemctl --user status pad-trustee
● pad-trustee.service - pad-trustee-node - Trustee service for Privacy-preserving Accountable Decryption (PAD)
Loaded: loaded (...; disabled; vendor preset: enabled)
Active: active (running)
The status Active: active (running) shows that the daemon is running properly.
For a more detailed log of the daemon, you may use journalctl:
[email protected]:~/pad-trustee-node$ journalctl --user-unit pad-trustee
To see a live update of the log, use the -f flag. Press Ctrl + C to exit monitoring.
[email protected]:~/pad-trustee-node$ journalctl -f --user-unit pad-trustee

Updating the Trustee code

To update the Trustee code, download/clone the repository again. Then run
The script will copy the up-to-date code over to the source directory of the Trustee daemon. It will then restart the daemon.

(Optional) Enable Trustee daemon to start on boot

You may wish the Trustee daemon to start automatically on boot. To do this, simply use the enable command in systemctl:
[email protected]:~$ systemctl --user enable pad-trustee

(Optional) Configure the Trustee daemon

  • A PEM-encoded string may be used as the keys in the config file instead of specifying a path. For example, instead of having the section
decryption_key_file: /path/to/decryption.pem
You may use a key directly like this:
decryption_key: |-
# ...
  • You may change the list of instances the Trustee references in the instances section.
  • You may change the interval in seconds in which the Trustee queries the PAD server.
Do not set interval too small, otherwise some requests may be blocked by the server because of rate-limiting.
  • You may change the path in which the states of the Trustee is stored at storage.path.