Use KMS service

Background#

You may consider separating your validator's consensus key, as well as validator and peggo keys off of your instances in order to improve security.
To that end, Tendermint offers a tmkms service which supports remote signing.

While Our peggo binary currently doesn't support remote signing via tmkms, you can consider using tmkms to enhance security and decentralization factor for your validator nodes.

Configuration#

We provide this guide with softsign option as it can be evaluated easily and the flow is basically the same for all three options beside authentication for HSM.

  1. Installation
# install libusb
# ubuntu
apt install libusb-1.0-0-dev # ubuntu
yum install libusb1-devel # redhat
brew install libusb # macos
# redhat
sudo yum install libusb
# install tmkms
git clone https://github.com/iqlusioninc/tmkms && cd tmkms
# build binary with selected HSM or software wallet
cargo install tmkms --features=softsign # software wallet
cargo install tmkms --features=yubihsm # yubihsm wallet
cargo install tmkms --features=ledgertm # ledger wallet
  1. Initialize config
tmkms init config
tmkms softsign keygen ./config/secrets/secret_connection_key
tmkms softsign import ~/.injectived/config/priv_validator_key.json config/secrets/priv_validator_key
  1. Configure kms service vi ~/.tmkms/tmkms.toml
[[chain]]
id = "injective-1"
key_format = { type = "bech32", account_key_prefix = "injpub", consensus_key_prefix = "injvalconspub" }
state_file = "./config/state/injective-1-consensus.json"
[[providers.softsign]]
chain_ids = ["injective-1"]
key_type = "consensus"
# private validator key
path = "./config/secrets/priv_validator_key"
[[validator]]
chain_id = "injective-1"
# optional peer id from the injectived,
# this is injectived secret connection peer id, different from node peer id
# it changes everytime injectived restarted
# addr = "tcp://439EC5EAD602BE0C15D757F14F59B902626EB218@0.0.0.0:26659"
addr = "tcp://0.0.0.0:26659"
# secret connection key determines KMS node ID
secret_key = "./config/secrets/secret_connection_key"
protocol_version = "v0.34"
reconnect = true
  1. Enable injectived remote signing feature vi ~/.injectived/config/config.toml
priv_validator_laddr = "tcp://0.0.0.0:26659"

Start and stop services#

We have to start services in this order so injectived can pick up tmkms traffic to successfully boots up.

tmkms start -c ./config/tmkms.toml
injectived start

Also make sure to stop the services in reverse order, from tmkms to injectived.

Last updated on