Key Management System
Introduction
Tendermint KMS is a key management service that allows separating key management from Tendermint nodes. In addition it provides other advantages such as:
- Improved security and risk management policies
- Unified API and support for various HSM (hardware security modules)
- Double signing protection (software or hardware based)
Building
Detailed build instructions can be found here.
TIP
When compiling the KMS, ensure you have enabled the yubihsm features:
cargo install tmkms --features=yubihsm --version=0.10.0-beta2
Initialization
Initialize configuration files for IRIShub
tmkms init -n irishub /path/to/kms/home
Configuration
To enable KMS, you need to edit the priv_validator_laddr in your <iris-home>/config/config.toml file first. e.g.:
# TCP or UNIX socket address for Tendermint to listen on for
# connections from an external PrivValidator process
priv_validator_laddr = "localhost:26658"
Then, downLoad priv_validator_state.json example and modify all field values to match your <iris-home>/data/priv_validator_state.json values.
Next, you just need to edit the configuration file /path/to/kms/home/tmkms.toml as follows:
- Configure
state_fileas thepriv_validator_state.jsoncompleted in the previous step. - Write your Yubihsm password to file
yubihsm-password.txtand configurepassword_fileas it. - Edit
addrto point to youririsinstance(note: no need to specify the connection id, just like tcp://localhost:26658). - Adjust
chain_idto match your<iris-home>/config/genesis.jsonsettings. - Edit
authto authorize access to your Yubihsm. - Edit
keysto determine which pubkey you will be using. - Edit
protocol_versionto v0.34.
Then start tmkms:
tmkms start -c /path/to/kms/home/tmkms.toml
Using a YubiHSM
Detailed information on how to setup a KMS with YubiHSM2 can be found here.
If you want to import an existing IRIShub private_key:
tmkms yubihsm keys import <iris_home>/config/priv_validator.json -i <id> -t json -c /path/to/kms/home/tmkms.toml