1.0 Introduction
This document describes how Fortanix Data Security Manager (DSM) integrates with Tendermint Key Management System (TMKMS) to provide remote signing capabilities that enable the signing of Ignite (previously, Tendermint) blockchain proposals and votes. With this integration, you can now create, manage, and use validator keys with Fortanix DSM SaaS. For any proposal or vote, TMKMS validates that double-signing is not being attempted and then signs the proposal or vote by invoking the sign operation offered by DSM SaaS which manages the validator keys.
2.0 Compiling TMKMS with Fortanix DSM
Refer to the main README.md for compiling tmkms
from the source code. You will need the prerequisites mentioned under the Section: Supported Platforms in the readme.
The following are the two ways to install tmkms
with Fortanix DSM. In these methods, you must pass the --features=fortanixdsm
parameter to cargo:
2.1 Compiling from the Source Code (Using the git
Command)
tmkms
can be compiled directly from the Git repository source code using the following command:
$ git clone https://github.com/iqlusioninc/tmkms.git && cd tmkms
[...]
$ cargo build --release --features=fortanixdsm
If successful, this will produce a tmkms
executable located at ./target/release/tmkms
.
2.2 Installing with cargo install
Command
With Rust (1.40+) installed, you can install tmkms
using the following command:
cargo install tmkms --features=fortanixdsm
Or you can install a specific version (recommended), using the following command:
cargo install tmkms --features=fortanixdsm --version=0.4.0
This command installs tmkms
directly from packages hosted on Rust's [crates.io] service. The package authenticity is verified using the [crates.io index] which is a Git repository and by SHA-256 digests of released artifacts.
However, if newer dependencies are available, it may use newer versions besides the ones which are "locked" in the source code repository. We cannot verify whether those dependencies do not contain malicious code. If you would like to ensure the dependencies in use are identical to the main repository, please build from the source code instead.
3.0 Set Up Fortanix DSM
This section explains how to create secure keys in Fortanix DSM.
3.1 Create a Fortanix DSM Group
- To generate/import a Consensus key, first, create a Fortanix DSM group.
Figure 1: Create group
3.2 Create an App in Fortanix DSM
Create an app in Fortanix DSM of type REST API and copy the app’s API KEY. This API Key is added to the tmkms.toml
configuration file later. Refer to Section 3.4.
Figure 2: Create an app and copy the API key
3.3 Generate a Key
tmkms
supports keys for accounts and consensus signing. The type of key must be EC CurveEd25519 for the Consensus key and Secp256k1 for the Account key. This guide explains the signing procedure using the Consensus key.
- Generate a key called consensus-key in the same group created in Section 3.1 so that the API key of the app created in Section 3.2 can be used to access this key. The key type must be EC of Curve Ed25519. This key is used by the validator for consensus signing.
Figure 3: Consensus key
- Copy the Key ID or the key name of this key to add it to the
tmkms.toml
configuration file later. Refer to Section 3.4.Figure 4: Copy key ID Alternatively, you can also import an existing Tendermint key. To import an existing Tendermint key, use the following script to convert a Tendermint key to Fortanix DSM accepted key format.
!/bin/bash Usage: tendermint-ed25519.sh <input-tendermint> <output-private-p8der> <output-public-p8der> gokey=$(jq -r .priv_key.value $1 | base64 -d| xxd -p -c 64) echo 302e 0201 0030 0506 032b 6570 0422 0420 "${gokey:0:64}" | xxd -p -r > $2 echo 302a 3005 0603 2b65 7003 2100 "${gokey:64}" | xxd -p -r > $3
3.4 Configure tmkms
To perform the setup, tmkms
needs a configuration file that contains the authentication details needed to authenticate to Fortanix DSM with an API key.
The file tmkms.toml
contains this configuration. You can specify the path to the config with either -c /path/to/tmkms.toml
or tmkms
will look in the current working directory for the same file.
For example:
[[providers.fortanixdsm]]
api_endpoint = "https://<fortanix_dsm_url>"
api_key = "Nzk5MDQ3ZGUtN2Q2NS00OTRjLTgzMDMtNjQwMTlhYzdmOGUzOlF1SU93ZXJsOFU4VUdEWEdQMmx1dFJOVjlvMTRSd3lhNnVDNVNhVkpZOVhzYVgyc0pOVGRQVGJ0RjZJdmVLMy00X05iTEhxMkowamF3UGVPaXJEWEd3"
signing_keys = [
{ chain_ids = ["$CHAIN_ID"], type = "account", key_id = "72e9ed9e-9eb4-46bd-a135-e78ed9bfd611" },
{ chain_ids = ["$CHAIN_ID"], type = "consensus", key_name = "My Key" },
]
Where,
api_key
is the Fortanix DSM app API Key. Refer to Section 3.2 for steps to get the app API Key.key_id
andkey_name
is the Fortanix DSM key UUID and key name respectively. You can either pass the key UUID or key name for signing. Refer to Section 3.3 for steps to create a Consensus key or import an existing key.
3.5 Running the TMKMS Application
The tmkms.toml
configuration file now has the required details:
- The Fortanix DSM App API Key to authenticate to Fortanix DSM.
- The Fortanix DSM Key ID/Key name is used by the Validator for consensus signing.
- Start
tmkms
using the following command:$ tmkms start
tmkms.toml
file in the current working directory.
or
To explicitly specify the path to the configuration, use the-c
flag:$ tmkms start -c /path/to/tmkms.toml
tmkms
directly from packages hosted on Rust's [crates.io] service. The package authenticity is verified using the [crates.io index] which is a Git repository and by SHA-256 digests of released artifacts. - Run the tmkms application. Go to the detailed view of the consensus-key and in the Activity Logs section notice that this key is used by the Validator for consensus signing.
Figure 5: Execution log for key
Comments
Please sign in to leave a comment.