# Tendermint KMS
Set up a Key Management System for Haqq
Tendermint KMS (opens new window) is a Key Management Service (KMS) that allows separating key management from Tendermint nodes. In addition it provides other advantages such as:
- Improved security and risk management policies
- Unified API and support for various HSM (hardware security modules)
- Double signing protection (software or hardware based)
It is recommended that the KMS service runs in a separate physical hosts.
# Prepare TMKMS Dependencies
Start by opening the node you intend to run TMKMS (not the node you validate on) and install the following dependencies:
If on x86_64 architecture:
# Setup TMKMS
In this example, we will be compiling from the github source code using the
--features=softsign flag, however you may use
--features=yubihsm if you want to use a yubikey (ledger support is not working properly at the moment, and this guide will not go into using yubihsm).
Now we will transfer your validator private key from your validator to your VM running TMKMS. You can do this manually or though scp. I will use scp in this example (the validator has the IP of 123.456.32.123):
Then, import the private validator key into tmkms:
Please note at this point, you could delete the
priv_validator_key.json from both your validator node and tmkms node and store it safely offline in case of an emergency. This newly created
priv_validator_key will be what TMKMS will use to sign for your validator.
Now, modify the
In this example, my validator has the IP address of 123.456.32.123 and we will be using port 688 to feed the validator key to the validator. We will also be using chain_id
haqq_11235-1 for Haqq Mainnet, but if you are doing this on the testnet be sure to use
# Chain Configuration
Now, modify your validators
config.toml to use the port you selected in the
It is also recommended to comment out the
priv_validator_key_file line and the
Next, stop the validator. Move back to your VM running TMKMS and start it:
You will see error logs like the following:
Now, start your chornic validator on the validator node:
Your TMKMS node will now show logs like the following:
You should now be signing blocks! If you cancel the TMKMS process, you will no longer sign blocks and will stop syncing. If you restart the TMKMS process, your validator node will continue to sync from where it left off.
# Final Notes
Please note that this is a bare minimum setup. More robust settings such as setting up a firewall to only allow your TMKMS node to get through the priv_validator_laddr port would make your validator even more secure.