๐Ÿ”ƒNotes on Production Deployment

Setting up Tendermint KMS for signing blocks (only for validators)

Currently (tmkms v0.7), the system is still a bit Cosmos-centric, so the setup is slightly quirky.


As per the example, create ~/.tmkms/tmkms.toml (or any path) with something like:

id = "<CHAIN_ID>"
key_format = { type = "hex" }

addr = "unix:///<TMKMS_SOCKET_PATH>"
chain_id = "<CHAIN_ID>"

chain_ids = ["<CHAIN_ID>"]

In ~/.tendermint/config/config.toml (or wherever located), set the socket address to the same one as in tmkms.toml:

priv_validator_laddr = "unix:///<TMKMS_SOCKET_PATH>"

Obtaining the consensus/validator public key

Step 0. Generate/Initialize the key pair or seed

Step 0 depends on the signing provider -- e.g. for Ledger devices, one may need to enable developer mode in Ledger Live settings and install the Tendermint validator app.

Step 1. Obtain the public key in the correct encoding

Depending on the signing provider, there may be a command to print out the public key. One other option is to run tmkms start -c .tmkms/tmkms.toml -v where -v is for verbose logging; the log may then include a message ... added consensus key <KEY_HEX_PAYLOAD>.

The public key hex payload is Amino-encoded -- for the use in Tendermint configurations, there are two steps that need to be done:

  1. strip off the Amino prefix; in the case of Ed25519 public keys, it's 5 bytes: 0x16, 0x24, 0xDE, 0x64, 0x20.

  2. convert the stripped-off KEY_HEX_PAYLOAD to base64.

Step 2. Place/Use the public key where needed

For example, generate the genesis.json with it if the corresponding node is one of the initial validators.

Step 3. Start up everything

As before, but along with tendermint node, tmkms start -c .tmkms/tmkms.toml should also be launched.

Last updated