The TzEL wallet runs as a self-contained Docker container on your machine. Your keys never leave your device. One command installs, starts, and connects to the Ushuaianet testnet.
Requires Docker — Linux x86_64/arm64, macOS (Docker Desktop), Windows (WSL2)
The install script handles the full lifecycle. After it exits, your wallet is running and ready to pair.
The script checks for Docker, pulls the wallet image from the GitHub Container Registry, and starts the container on 127.0.0.1:8787.
Navigate to http://127.0.0.1:8787 in your browser. The UI and API share the same origin, which is what makes Temple wallet pairing work.
Generate a new TzEL wallet or import an existing one. Your spending key, viewing key, and detection material are stored locally in ~/.tzel-wallet — never sent anywhere.
Connect Temple wallet to fund an initial shield. After shielding, you can send private transactions on Ushuaianet. The wallet delegates proof generation to the Ushuaianet proving service.
The wallet container mounts a single directory from your home folder. Everything that matters — your spending key, incoming and outgoing viewing keys, detection material, and the full wallet state — lives in that directory. The container reads and writes it; nothing else touches it.
Back up ~/.tzel-wallet and you can recover your wallet on any machine. Lose it and there is no recovery path — there is no server that holds your keys.
The daemon serves both the wallet UI and its JSON API on port 8787. This single-origin design is what makes Temple wallet pairing work: the Beacon SDK uses PostMessage between page and extension, and that channel requires both to share an origin. The install script binds 127.0.0.1:8787 on the host, so the wallet is never reachable from other machines by default.
TzEL separates spending authority from proof generation. When you initiate a private send, your wallet signs the transaction locally with a hash-based one-time signature. That signature is then checked inside the STARK proof itself — the prover cannot change what you authorized.
The STARK proof is large, so rather than generating it on your laptop, the wallet delegates to the Ushuaianet proving service. The prover sees the transaction you signed but cannot produce a valid proof for any other transaction. Your spend key never leaves the container.
A shield transaction takes public tez from your Temple wallet and deposits it into the TzEL rollup. Once shielded, the value exists as a private note: an amount committed to the rollup state tree, encrypted to your incoming viewing key, and spendable only with your spending key.
A private send spends one or more of your notes and creates new notes for the recipient, all inside a single STARK proof. Neither amounts, sender addresses, nor receiver addresses appear in the rollup inbox or the Tezos L1 block. The DAL slot carries only the proof and the encrypted note ciphertexts.
The install script supports three modes. The default run creates and starts the container. --force tears down an existing container and starts a fresh one (useful after an image update). --stop removes the container without touching your wallet data.
Because wallet data is in a bind-mounted directory on the host, stopping or recreating the container never affects your keys or transaction history. The container is stateless; your home directory is the state.
One command installs and starts the wallet. Open http://127.0.0.1:8787 when it exits.