🔑 Horcrux

Horcrux is a distributed signing tool that splits the validator's private key into multiple parts, ensuring its security. This approach prevents key compromise even if one part is accessed.

Installing Horcrux

Download and install Horcrux:

Go to the official .

Download the latest version for your system:

wget https://github.com/strangelove-ventures/horcrux/releases/download/vX.X.X/horcrux_X.X.X_Linux_x86_64.tar.gz

Extract the archive:

tar -xvf horcrux_X.X.X_Linux_x86_64.tar.gz  
sudo mv horcrux /usr/local/bin/

Verify the installation:

horcrux version

Create a configuration file:

mkdir ~/.horcrux  
horcrux init

This will create a basic configuration file at ~/.horcrux/config.yaml.

Preparing the Infrastructure

Horcrux requires at least two servers (three or more are recommended) to split the key. Setup involves:

Horcrux servers for distributed signing.

Validator node to interact with the blockchain network.

Ensure the following:

1. SSH access and server setup.

2. Install Horcrux on each server.

3. Configure firewalls to allow communication between servers on the Horcrux ports.

4. Time synchronization: Make sure all servers use NTP for synchronized time.

sudo apt install ntp  
sudo systemctl enable ntp  
sudo systemctl start ntp

Key Generation and Distribution

Generate a shared validator key: Copy your validator's private key to one of the Horcrux servers and run:

horcrux create ~/.horcrux/priv_validator_key.json --output-shares 3 --threshold 2

Parameters:

--output-shares 3: Number of parts the key will be split into.

--threshold 2: Minimum number of parts required for signing.

Distribute keys across servers: Copy the generated files to other servers:

scp ~/.horcrux/share-1.json user@server1:/path/to/.horcrux/  
scp ~/.horcrux/share-2.json user@server2:/path/to/.horcrux/

Synchronize configuration: Ensure the config.yaml file is identical on all servers.

Setting Up the Horcrux Service

Create a service file: On each server, create a file at /etc/systemd/system/horcrux.service:

[Unit]  
Description=Horcrux Distributed Validator  
After=network-online.target  

[Service]  
User=<your-user>  
ExecStart=/usr/local/bin/horcrux sign  
Restart=always  
RestartSec=3  
LimitNOFILE=4096  

[Install]  
WantedBy=multi-user.target  

Start and check the service:

sudo systemctl daemon-reload  
sudo systemctl enable horcrux  
sudo systemctl start horcrux  
sudo systemctl status horcrux  

Configuring the Validator Node

• Update the validator's configuration file: In the config.toml file of your validator node, specify the remote Horcrux address for signing:

priv_validator_laddr = "tcp://0.0.0.0:1234"

• Restart the validator:

sudo systemctl restart cosmovisor

Monitoring and Testing

• Check connectivity: Ensure the validator node successfully connects to the Horcrux servers.

• Test signing: Verify transactions are signed correctly by creating a test transaction on the network.

• Setup monitoring: Use tools like Prometheus and Grafana to monitor the validator and Horcrux servers.

Security Recommendations

• Isolate Horcrux servers: Restrict access to only the validator node.

• Keep software updated: Regularly update Horcrux and the operating systems.

• Backup configuration: Store copies of the configuration and key shares in a secure location.