# 📡  TMKMS for Remote Signing

TMKMS (Tendermint Key Management System) is a key management system used in blockchain-based ecosystems like Cosmos. The primary purpose of TMKMS is to provide secure storage and management of cryptographic keys, which are used by validators to sign blocks in decentralized networks.

**Update the system**

```bash
sudo apt update && sudo apt upgrade -y
```

**Install Rust and the necessary libraries**

```bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
sudo apt install build-essential pkg-config libssl-dev -y
```

**Install TMKMS**

```bash
git clone https://github.com/iqlusioninc/tmkms.git $HOME/tmkms
cd $HOME/tmkms
git checkout v0.15.0
 
cargo build --release --features=softsign 
cargo install tmkms --features=softsign
```

**Check the TMKMS version**

```bash
tmkms version
```

**Initialize TMKMS**

```bash
mkdir -p $HOME/.tmkms/<chain-id>
tmkms init $HOME/.tmkms/<chain-id>
```

The command will create the necessary configuration files and keys, and you will receive output similar to the following:

```bash
Generated KMS configuration: /home/user/.tmkms/<chain-id>/tmkms.toml
Generated Secret Connection key: /home/user/.tmkms/<chain-id>/secrets/kms-identity.key
```

**Import the validator key**

If you need to use an existing validator key, copy its file to the TMKMS server. Make sure the file is in the correct location:

```bash
cat $HOME/priv_validator_key.json
```

**Import the key into TMKMS**

```bash
tmkms softsign import $HOME/priv_validator_key.json $HOME/.tmkms/<chain-id>/secrets/<chain-id>-consensus.key
```

After a successful import, it is recommended to delete the original file for security:

```bash
sudo shred -uvz $HOME/priv_validator_key.json
```

**Configuring the validator**

On the validator side, open the necessary port for remote connection. For example, if the validator uses port 26658, edit the configuration file `config.toml` (or the equivalent file for your network):

```bash
priv_validator_laddr = "tcp://<IP Validador>:26658"
```

**Configuring TMKMS**

On the TMKMS server, edit the `tmkms.toml` configuration file that was created during the initialization stage. Open it for editing:

```bash
sudo nano ~/.tmkms/<chain-id>/tmkms.toml
```

Example of a minimal configuration for the network:

```bash
## Chain Configuration
[[chain]]
id = "<chain-id>"
key_format = { type = "bech32", account_key_prefix = "<chain-id>pub", consensus_key_prefix = "<chain-id>valconspub" }
state_file = "$HOME/.tmkms/<chain-id>/state/<chain-id>-consensus.json"

## Signing Provider Configuration
[[providers.softsign]]
chain_ids = ["<chain-id>"]
key_type = "consensus"
path = "$HOME/.tmkms/<chain-id>/secrets/<chain-id>-consensus.key"

## Validator Configuration
[[validator]]
chain_id = "<chain-id>"
addr = "tcp://<IP validator>:26658"
secret_key = "$HOME/.tmkms/<chain-id>/secrets/kms-identity.key"
protocol_version = "v0.38"
reconnect = true
```

**Сreate a service**

```bash
sudo tee /etc/systemd/system/<chain-id>-tmkmsd.service << EOF
[Unit]
Description=TMKMS-<chain-id>
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=10
User=$USER
ExecStart=$(which tmkms) start -c $HOME/.tmkms/<chain-id>/tmkms.toml
LimitNOFILE=1024

[Install]
WantedBy=multi-user.target
EOF
```

**Starting TMKMS**

```bash
sudo systemctl daemon-reload
sudo systemctl enable <chain-id>-tmkmsd.service
sudo systemctl start <chain-id>-tmkmsd.service
```

Check the service status

```bash
sudo systemctl status <chain-id>-tmkmsd.service
```

Check the logs

```bash
sudo journalctl -u <chain-id>-tmkmsd.service -f -o cat
```

**Configuring the firewall**

Configuring the firewall for the validator server:

```bash
sudo ufw allow "OpenSSH"
sudo ufw allow 22
sudo ufw enable
```

Configuring the firewall for the TMKMS server:

```bash
sudo ufw allow from <IP TMKMS> proto tcp to any port 26658
sudo ufw deny 26658
sudo ufw enable
```

Now your TMKMS is configured and ready to work with remote signing in the blockchain network.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://services.validexis.com/validator-security-our-approach-and-protection-measures/tmkms-for-remote-signing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.