Set up a Key Management System for okp4
Tendermint KMS is a Key Management Service (KMS) that allows separating key management from Tendermint nodes. In addition it provides other advantages such as:
- Improved security and risk management policies
- Unified API and support for various HSM (hardware security modules)
- Double signing protection (software or hardware based)
It is recommended that the KMS service runs in a separate physical hosts.
Install Tendermint KMS onto the node
You will need the following prerequisites:
✅ Rust (stable; 1.56+): rustup
✅ C compiler: e.g. gcc, clang
✅ libusb (1.0+). Install instructions for common platforms
apt install libusb-1.0-0-dev
yum install libusb1-devel
✅ macOS (Homebrew)
brew install libusb
x86_64 architecture only:
RUSTFLAGS environment variable:
We are ready to install KMS. There are 2 ways to do this: compile from source or install with Rusts cargo-install. We’ll use the first option.
Compile from source code
The following example adds
--features=ledger to enable Ledger support.
tmkms can be compiled directly from the git repository source code, using the following commands:
gh repo clone iqlusioninc/tmkms && cd tmkms
cargo build --release --features=ledger
--features=yubihsm to enable YubiHSM support.
If successful, it will produce the
tmkms executable located at:
A KMS can be configured using the following HSMs
Detailed information on how to setup a KMS with YubiHSM 2 can be found here.
Ledger Tendermint app
Detailed information on how to setup a KMS with Ledger Tendermint App can be found here.