📡 TMKMS for Remote Signing

TMKMS (Tendermint Key Management System) is a key management system used in blockchain-based ecosystems like Cosmos. The primary purpose of TMKMS is to provide secure storage and management of cryptographic keys, which are used by validators to sign blocks in decentralized networks.

Update the system

sudo apt update && sudo apt upgrade -y

Install Rust and the necessary libraries

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
sudo apt install build-essential pkg-config libssl-dev -y

Install TMKMS

git clone https://github.com/iqlusioninc/tmkms.git $HOME/tmkms
cd $HOME/tmkms
git checkout v0.15.0
 
cargo build --release --features=softsign 
cargo install tmkms --features=softsign

Check the TMKMS version

tmkms version

Initialize TMKMS

mkdir -p $HOME/.tmkms/<chain-id>
tmkms init $HOME/.tmkms/<chain-id>

The command will create the necessary configuration files and keys, and you will receive output similar to the following:

Generated KMS configuration: /home/user/.tmkms/<chain-id>/tmkms.toml
Generated Secret Connection key: /home/user/.tmkms/<chain-id>/secrets/kms-identity.key

Import the validator key

If you need to use an existing validator key, copy its file to the TMKMS server. Make sure the file is in the correct location:

cat $HOME/priv_validator_key.json

Import the key into TMKMS

tmkms softsign import $HOME/priv_validator_key.json $HOME/.tmkms/<chain-id>/secrets/<chain-id>-consensus.key

After a successful import, it is recommended to delete the original file for security:

sudo shred -uvz $HOME/priv_validator_key.json

Configuring the validator

On the validator side, open the necessary port for remote connection. For example, if the validator uses port 26658, edit the configuration file config.toml (or the equivalent file for your network):

priv_validator_laddr = "tcp://<IP Validador>:26658"

Configuring TMKMS

On the TMKMS server, edit the tmkms.toml configuration file that was created during the initialization stage. Open it for editing:

sudo nano ~/.tmkms/<chain-id>/tmkms.toml

Example of a minimal configuration for the network:

## Chain Configuration
[[chain]]
id = "<chain-id>"
key_format = { type = "bech32", account_key_prefix = "<chain-id>pub", consensus_key_prefix = "<chain-id>valconspub" }
state_file = "$HOME/.tmkms/<chain-id>/state/<chain-id>-consensus.json"

## Signing Provider Configuration
[[providers.softsign]]
chain_ids = ["<chain-id>"]
key_type = "consensus"
path = "$HOME/.tmkms/<chain-id>/secrets/<chain-id>-consensus.key"

## Validator Configuration
[[validator]]
chain_id = "<chain-id>"
addr = "tcp://<IP validator>:26658"
secret_key = "$HOME/.tmkms/<chain-id>/secrets/kms-identity.key"
protocol_version = "v0.38"
reconnect = true

Сreate a service

sudo tee /etc/systemd/system/<chain-id>-tmkmsd.service << EOF
[Unit]
Description=TMKMS-<chain-id>
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=10
User=$USER
ExecStart=$(which tmkms) start -c $HOME/.tmkms/<chain-id>/tmkms.toml
LimitNOFILE=1024

[Install]
WantedBy=multi-user.target
EOF

Starting TMKMS

sudo systemctl daemon-reload
sudo systemctl enable <chain-id>-tmkmsd.service
sudo systemctl start <chain-id>-tmkmsd.service

Check the service status

sudo systemctl status <chain-id>-tmkmsd.service

Check the logs

sudo journalctl -u <chain-id>-tmkmsd.service -f -o cat

Configuring the firewall

Configuring the firewall for the validator server:

sudo ufw allow "OpenSSH"
sudo ufw allow 22
sudo ufw enable

Configuring the firewall for the TMKMS server:

sudo ufw allow from <IP TMKMS> proto tcp to any port 26658
sudo ufw deny 26658
sudo ufw enable

Now your TMKMS is configured and ready to work with remote signing in the blockchain network.

Previous🔒Enhancing SSH Security for a ValidatorNextTMKMS Update for Celestia

Last updated