๐ก TMKMS for Remote Signing
TMKMS (Tendermint Key Management System) is a key management system used in blockchain-based ecosystems like Cosmos. The primary purpose of TMKMS is to provide secure storage and management of cryptographic keys, which are used by validators to sign blocks in decentralized networks.
Update the system
sudo apt update && sudo apt upgrade -y
Install Rust and the necessary libraries
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
sudo apt install build-essential pkg-config libssl-dev -y
Install TMKMS
git clone https://github.com/iqlusioninc/tmkms.git
cd tmkms
cargo build --release --features=softsign
cargo install tmkms --features=softsign
Check the TMKMS version
tmkms version
Initialize TMKMS
mkdir -p $HOME/tmkms/<chain-id>
tmkms init $HOME/tmkms/<chain-id>
The command will create the necessary configuration files and keys, and you will receive output similar to the following:
Generated KMS configuration: /home/user/tmkms/<chain-id>/tmkms.toml
Generated Secret Connection key: /home/user/tmkms/<chain-id>/secrets/kms-identity.key
Import the validator key
If you need to use an existing validator key, copy its file to the TMKMS server. Make sure the file is in the correct location:
cat $HOME/priv_validator_key.json
Import the key into TMKMS
tmkms softsign import $HOME/priv_validator_key.json $HOME/tmkms/<chain-id>/secrets/<chain-id>-consensus.key
After a successful import, it is recommended to delete the original file for security:
sudo shred -uvz $HOME/priv_validator_key.json
Configuring the validator
On the validator side, open the necessary port for remote connection. For example, if the validator uses port 26658, edit the configuration file config.toml
(or the equivalent file for your network):
priv_validator_laddr = "tcp://<IP Validador>:26658"
Configuring TMKMS
On the TMKMS server, edit the tmkms.toml
configuration file that was created during the initialization stage. Open it for editing:
sudo nano ~/tmkms/<chain-id>/tmkms.toml
Example of a minimal configuration for the network:
## Chain Configuration
[[chain]]
id = "<chain-id>"
key_format = { type = "bech32", account_key_prefix = "<chain-id>pub", consensus_key_prefix = "<chain-id>valconspub" }
state_file = "/root/tmkms/<chain-id>/state/<chain-id>-consensus.json"
## Signing Provider Configuration
[[providers.softsign]]
chain_ids = ["<chain-id>"]
key_type = "consensus"
path = "/root/tmkms/<chain-id>/secrets/<chain-id>-consensus.key"
## Validator Configuration
[[validator]]
chain_id = "<chain-id>"
addr = "tcp://<IP validator>:26658"
secret_key = "/root/tmkms/<chain-id>/secrets/kms-identity.key"
protocol_version = "v0.34"
reconnect = true
ะกreate a service
sudo tee /etc/systemd/system/<chain-id>-tmkmsd.service << EOF
[Unit]
Description=TMKMS-<chain-id>
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=10
User=$USER
ExecStart=$(which tmkms) start -c $HOME/tmkms/<chain-id>/tmkms.toml
LimitNOFILE=1024
[Install]
WantedBy=multi-user.target
EOF
Starting TMKMS
sudo systemctl daemon-reload
sudo systemctl enable <chain-id>-tmkmsd.service
sudo systemctl start <chain-id>-tmkmsd.service
Check the service status
sudo systemctl status <chain-id>-tmkmsd.service
Check the logs
sudo journalctl -u <chain-id>-tmkmsd.service -f -o cat
Configuring the firewall
Configuring the firewall for the validator server:
sudo ufw allow "OpenSSH"
sudo ufw allow 22
sudo ufw enable
Configuring the firewall for the TMKMS server:
sudo ufw allow from <IP TMKMS> proto tcp to any port 26658
sudo ufw deny 26658
sudo ufw enable
Now your TMKMS is configured and ready to work with remote signing in the blockchain network.
Last updated