---
title: "Using Fortanix Signing Provider for Tendermint KMS"
slug: "using-fortanix-signing-provider-for-tendermint-kms"
updated: 2024-07-17T13:30:27Z
published: 2024-07-17T13:30:27Z
canonical: "support.fortanix.com/using-fortanix-signing-provider-for-tendermint-kms"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Fortanix Signing Provider for Tendermint KMS

## 1.0 Introduction

This document describes how Fortanix-Data-Security-Manager**(**DSM**)** integrates with **Tendermint Key Management System (TMKMS)** to provide remote signing capabilities that enable the signing of Ignite (previously, Tendermint) blockchain proposals and votes. With this integration, you can now create, manage, and use validator keys with Fortanix DSM SaaS. For any proposal or vote, TMKMS validates that double-signing is not being attempted and then signs the proposal or vote by invoking the sign operation offered by DSM SaaS which manages the validator keys.

## 2.0 Compiling TMKMS with Fortanix DSM

Refer to the main [README.md](https://github.com/iqlusioninc/tmkms/blob/main/README.md) for compiling `tmkms` from the source code. You will need the prerequisites mentioned under the *Section: Supported Platforms* in the readme.

The following are the two ways to install `tmkms` with Fortanix DSM. In these methods, you must pass the `--features=fortanixdsm` parameter to cargo:

### 2.1 Compiling from the Source Code (Using the `git` Command)

`tmkms` can be compiled directly from the Git repository source code using the following command:

```bash
$ git clone https://github.com/iqlusioninc/tmkms.git && cd tmkms
[...]
$ cargo build --release --features=fortanixdsm
```

If successful, this will produce a `tmkms`executable located at `./target/release/tmkms`.

### 2.2 Installing with `cargo install` Command

With Rust (1.40+) installed, you can install `tmkms` using the following command:

```bash
cargo install tmkms --features=fortanixdsm
```

Or you can install a specific version (recommended), using the following command:

```bash
cargo install tmkms --features=fortanixdsm --version=0.4.0
```

This command installs `tmkms` directly from packages hosted on Rust's [crates.io] service. The package authenticity is verified using the [crates.io index] which is a Git repository and by SHA-256 digests of released artifacts.

However, if newer dependencies are available, it may use newer versions besides the ones which are "locked" in the source code repository. We cannot verify whether those dependencies do not contain malicious code. If you would like to ensure the dependencies in use are identical to the main repository, please build from the source code instead.

## 3.0 Set Up Fortanix DSM

This section explains how to create secure keys in Fortanix DSM.

### 3.1 Create a Fortanix DSM Group

1. To generate/import a Consensus key, first, create a Fortanix DSM group.

![TMKMS-CreateGroup.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/6999203357588.png)

**Figure 1: Create group**

### 3.2 Create an App in Fortanix DSM

Create an app in Fortanix DSM of type **REST API** and copy the app’s **API KEY**. This API Key is added to the `tmkms.toml` configuration file later. *Refer to*[*Section 3.4*](/v1/docs/using-fortanix-signing-provider-for-tendermint-kms#34-configure-tmkms).

![TMKMS-AppAPIKey.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/6999733630100.png)**Figure 2: Create an app and copy the API key**

### 3.3 Generate a Key

`tmkms` supports keys for accounts and consensus signing. The type of key must be **EC CurveEd25519** for the Consensus key and **Secp256k1** for the Account key. This guide explains the signing procedure using the Consensus key.

1. Generate a key called **consensus-key** in the same group created in [*Section 3.1*](/v1/docs/using-fortanix-signing-provider-for-tendermint-kms#31-create-a-fortanix-dsm-group) so that the API key of the app created in [*Section 3.2*](/v1/docs/using-fortanix-signing-provider-for-tendermint-kms#32-create-an-app-in-fortanix-dsm) can be used to access this key. The key type must be **EC** of Curve **Ed25519**. This key is used by the validator for consensus signing.

![Signer-Consensus-Key.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/6999398916756.png)

**Figure 3: Consensus key**
2. Copy the Key ID or the key name of this key to add it to the `tmkms.toml` configuration file later. *Refer to*[*Section 3.4*](/v1/docs/using-fortanix-signing-provider-for-tendermint-kms#34-configure-tmkms).

![Copy_Key_ID.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/6999438572820.png)

**Figure 4: Copy key ID**

Alternatively, you can also import an existing Tendermint key. To import an existing Tendermint key, use the following script to convert a Tendermint key to Fortanix DSM accepted key format.

```bash
!/bin/bash
Usage: tendermint-ed25519.sh <input-tendermint> <output-private-p8der> <output-public-p8der>
      
gokey=$(jq -r .priv_key.value $1 | base64 -d| xxd -p -c 64)
echo 302e 0201 0030 0506 032b 6570 0422 0420 "${gokey:0:64}" | xxd -p -r > $2
echo 302a 3005 0603 2b65 7003 2100 "${gokey:64}" | xxd -p -r > $3
```

### 3.4 Configure `tmkms`

To perform the setup, `tmkms` needs a configuration file that contains the authentication details needed to authenticate to Fortanix DSM with an API key.

The file `tmkms.toml` contains this configuration. You can specify the path to the config with either `-c /path/to/tmkms.toml` or `tmkms` will look in the current working directory for the same file.

For example:

```bash
[[providers.fortanixdsm]]
api_endpoint = "https://<fortanix_dsm_url>"
api_key = "Nzk5MDQ3ZGUtN2Q2NS00OTRjLTgzMDMtNjQwMTlhYzdmOGUzOlF1SU93ZXJsOFU4VUdEWEdQMmx1dFJOVjlvMTRSd3lhNnVDNVNhVkpZOVhzYVgyc0pOVGRQVGJ0RjZJdmVLMy00X05iTEhxMkowamF3UGVPaXJEWEd3"
signing_keys = [
{ chain_ids = ["$CHAIN_ID"], type = "account", key_id = "72e9ed9e-9eb4-46bd-a135-e78ed9bfd611" },
{ chain_ids = ["$CHAIN_ID"], type = "consensus", key_name = "My Key" },
]
```

Where,

- `api_key` is the Fortanix DSM app API Key. Refer to [*Section 3.2*](/v1/docs/using-fortanix-signing-provider-for-tendermint-kms#32-create-an-app-in-fortanix-dsm) for steps to get the app API Key.
- `key_id` and `key_name` is the Fortanix DSM key UUID and key name respectively. You can either pass the key UUID or key name for signing. Refer to [*Section 3.3*](/v1/docs/using-fortanix-signing-provider-for-tendermint-kms#33-generate-a-key) for steps to create a Consensus key or import an existing key.

### 3.5 Running the TMKMS Application

The `tmkms.toml` configuration file now has the required details:

- The Fortanix DSM App API Key to authenticate to Fortanix DSM.
- The Fortanix DSM Key ID/Key name is used by the Validator for consensus signing.

1. Start `tmkms` using the following command:

```bash
$ tmkms start
```

This will read the configuration from the `tmkms.toml` file in the current working directory. or To explicitly specify the path to the configuration, use the `-c` flag:

```bash
$ tmkms start -c /path/to/tmkms.toml
```

This command installs `tmkms` directly from packages hosted on Rust's [crates.io] service. The package authenticity is verified using the [crates.io index] which is a Git repository and by SHA-256 digests of released artifacts.
2. Run the tmkms application. Go to the detailed view of the **consensus-key** and in the **Activity Logs** section notice that this key is used by the Validator for consensus signing.

![TMKMS-ActivityLog.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/6999731791508.png)

**Figure 5: Execution log for key**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Fortanix DSM - Quickstart](/fortanix-data-security-manager-quickstart.md)
- [Using Fortanix Data Security Manager with Hyperledger Fabric](/using-fortanix-data-security-manager-with-hyperledger-fabric.md)
- [Bringing EDP Rust Apps to Confidential Computing Manager](/bringing-edp-rust-apps-to-fortanix-ccm.md)