Advanced TMKMS Integration
Last updated
Last updated
The default consensus engine available within the SDK is Tendermint Core. See and
Validator block signing should be via
CAUTION The setup isn't yet ready for production use:
It is not yet audited
The isn't meant to be maintained in the long term
, initially targeting Cosmos Validators, provides High-availability, Double-signing prevention and Hardware security module.
Currently, TMKMS provides both hardware signing and softsign. However, it is hard or impossible to plug your own into the major cloud providers when one wants to run it on the cloud for hardware signing. On the other hand, it is also insecure to use softsign as your generated signing key is actually in plain text on the machine.
What we want to achieve is just running TMKMS securely and provision validator conveniently on the cloud. To meet this end, we now can leverage to execute TMKMS and TMKMS then decrypts (during initialization) the signing via . Read more details
Note that this is still a work in progress and this document only describes a basic setup, so it is not yet ready for production use. We recommend looking at other materials for additional setups, such as the .
Virtualized Nitro-based instances with at least four vCPUs. t3, t3a, t4g, a1, c6g, c6gd, m6g, m6gd, r6g, and r6gd instances are not supported.
We recommend m5a.xlarge
and Amazon Linux 2 AMI
for easier installation for AWS Nitro Enclaves CLI.
One needs to install Docker + Nitro Enclaves CLI.
And also create and take a note of PCR4 manually which is unique across ec2.
Edit key policy to allow only TMKMS inside nitro enclave to decrypt instead of entire EC2 and encrypt on EC2 You should have a generated policy shown in the console.
For the decryption action, you should add the following snippet in "Statement" as:
Change EC2_IAM_ROLE
,PCR0
and PCR4
to what we just created in previous steps.
If you plan to run the tmkms enclave in the debug mode, set the recipient attestation value to: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(instead of the PCR0 value).
Install tmkms-nitro-helper from source code.
bech32-prefix
is crocnclconspub
for mainnet and tcrocnclconspub
for testnet
It should generate a bech32 public key
to stdout and an encrypted private key in relative path secrets/secret.key
. We need bech32 public key for node join and secret.key to decrypt inside enclave.
Move above generated secrets/secret.key
to ~/.tmkms
directory
Create tmkms.toml
under ~/.tmkms
directory as:
To launch the TMKMS enclave, one needs to execute several commands to make it work.
In order to have a resilient validator, one should run the TMKMS enclave as a service.
One should adjust the <KMS_REGION>
in the script if set differently in tmkms.toml
eg. us-east-1
Create the script run_tmkms_nitro_helper.sh
with executable permissions under ~/.tmkms
directory
One should adjust the path in the systemd file if set different paths for the binary and script.
Create /lib/systemd/system/tmkms.service
and run the service
Except for one last thing one needs to further configure ~/.chain-maind/config/config.toml
to enable enclave tmkm to sign.
In ~/.chain-maind/config/config.toml
, priv_validator_key_file
and priv_validator_state_file
should be commented and uncomment priv_validator_laddr
to value unix://...
which should match the address
in tmkms.toml
. e.g. unix:///home/ec2-user/sockets/validator.socket
Remember to check Enable
for Enclave in Advanced Details
when configuring instance details.
Follow this to proceed.
You can either follow this to build TMKMS Enclave images from scratch or simply use our published .
After building the enclave image, you should obtain 3 : PCR0 (SHA384 hash of the image), PCR1 (SHA384 hash of the OS kernel and the bootstrap process), and PCR2 (SHA384 hash of the application). Take note of the PCR0 value. One can also use PCR3 and PCR8, for more details, please find this
for the created EC2 previously without permissions policies attached. We will allow this role to decrypt with CMK inside nitro enclave in instead.
Attach this role to the previously created EC2. Check this .
Create your
Define key administrative permissions and key usage permissions that user can admin, encrypt and decrypt the signing key in your local or a trusted machine via .
One should follow the same steps in