Skip to content

Instantly share code, notes, and snippets.

@dylanschultzie

dylanschultzie/tmkms setup.md Secret

Last active July 7, 2022 01:48
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save dylanschultzie/c7c4eed531df0f004a50c5395e1604b3 to your computer and use it in GitHub Desktop.
Save dylanschultzie/c7c4eed531df0f004a50c5395e1604b3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tmkms setup.md

https://github.com/iqlusioninc/tmkms

1. Install Dependencies


curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
sudo apt update
sudo apt-get update -y && sudo apt upgrade -y && sudo apt-get install make build-essential gcc git jq chrony -y
sudo apt install libusb-1.0-0-dev
export RUSTFLAGS=-Ctarget-feature=+aes,+ssse3

2. Install TMKMS

cd $HOME
git clone https://github.com/iqlusioninc/tmkms.git
cd $HOME/tmkms
cargo install tmkms --features=softsign
tmkms init config
tmkms softsign keygen ./config/secrets/secret_connection_key

3a. Manual tmkms setup

On the remote signer server:

Setup tmkms

mkdir kms
cd kms
mkdir secret
cd secret
tmkms init .
# creates the various files
{copy priv_validator_key to /secrets/key.json}
tmkms softsign import secrets/key.json secrets/validator_key.key

Modify tmkms.toml

# Tendermint KMS configuration file
## Chain Configuration
[[chain]]
id = "secret-4"
key_format = { type = "bech32", account_key_prefix = "secretpub", consensus_key_prefix = "secretvalconspub" }
state_file = "/root/kms/secret/state/secret-4-consensus.json"

## Signing Provider Configuration
### Software-based Signer Configuration
[[providers.softsign]]
chain_ids = ["secret-4"]
key_type = "consensus"
path = "/root/kms/secret/secrets/validator_key.key"

## Validator Configuration
[[validator]]
chain_id = "secret-4"
addr = "tcp://135.148.169.198:10659"
secret_key = "/root/kms/secret/secrets/kms-identity.key"
# this may need to be updated via {daemon} tendermint version
protocol_version = "v0.34"
reconnect = true

Create service file

sudo cat <<EOF >> /etc/systemd/system/tmkms_secret.service
[Unit]
Description=secret TMKMS
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/root/
ExecStart=/root/.cargo/bin/tmkms start -c /root/kms/secret/tmkms.toml
Restart=on-failure
RestartSec=3
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload && systemctl enable tmkms_secret
sudo systemctl restart tmkms_secret && journalctl -fu tmkms_secret

Note: that you may need to restart tmkms_secret after opening ufw ports sudo systemctl restart tmkms_secret && journalctl -fu tmkms_secret

Alternatively, here's a script to setup the tmkms side for you:

3b. Automatic tmkms setup script

On the remote signing server:

  1. Copy the script below to ~/install_tmkms.sh
  2. Run chmod +x ~/install_tmkms.sh to make it executable
  3. Copy validator's priv_validator_key.json to ~/key.json
  4. Run install_tmkms.sh using the example below

Example usage:

./install_tmkms.sh <validator_ip> <validator_port> <chain_id> <prefix> <path/to/priv_validator_key.json> <network_identifier>
# ex: ./install_tmkms.sh 65.108.103.236 15659 deweb-testnet-1 deweb $HOME/key.json testnet_deweb
# Read inputs
VALIDATOR_IP=$1
VALIDATOR_PORT=$2
CHAIN_ID=$3
UNIT=$4
PATH_PRIV_VALIDATOR_KEY=$5
NETWORK=$6

# Set file names
TOML_FILE=${HOME}/kms/${NETWORK}/tmkms.toml
STATE_FILE=${HOME}/kms/${NETWORK}/state/${CHAIN_ID}-consensus.json
SECRET_FILE=${HOME}/kms/${NETWORK}/secrets/validator_key.key

tmkms init ${HOME}/kms/${NETWORK}
rm ${HOME}/kms/${NETWORK}/tmkms.toml

# Import and init keys
tmkms softsign import $PATH_PRIV_VALIDATOR_KEY $SECRET_FILE

# Delete original keyfile
rm -r $PATH_PRIV_VALIDATOR_KEY

# Create network configuration for tmkms
echo "[INFO] Writing $TOML_FILE..."

cat >$TOML_FILE <<EOF
# Chain Configuration
[[chain]]
id = "${CHAIN_ID}"
key_format = { type = "bech32", account_key_prefix = "${UNIT}pub", consensus_key_prefix = "${UNIT}valconspub" }
state_file = "${STATE_FILE}"

# Software-based Signer Configuration
[[providers.softsign]]
chain_ids = ["${CHAIN_ID}"]
key_type = "consensus"
path = "${SECRET_FILE}"

# Validator Configuration
[[validator]]
chain_id = "${CHAIN_ID}"
addr = "tcp://${VALIDATOR_IP}:${VALIDATOR_PORT}"
secret_key = "${HOME}/kms/${NETWORK}/secrets/kms-identity.key"
protocol_version = "v0.34"
reconnect = true
EOF

# Set variables
SERVICE_FILE=/etc/systemd/system/tmkms_${NETWORK}.service
TOML_FILE=${HOME}/kms/${NETWORK}/tmkms.toml

echo "[INFO] Writing $SERVICE_FILE..."

sudo tee ${SERVICE_FILE} > /dev/null <<EOF
[Unit]
Description=${CHAIN_ID} tmkms
After=network.target

[Service]
Type=simple
User=${USER}
WorkingDirectory=${HOME}
ExecStart=${HOME}/.cargo/bin/tmkms start -c ${TOML_FILE}
Restart=on-failure
RestartSec=3
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload && sudo systemctl enable tmkms_${NETWORK}
sudo systemctl restart tmkms_${NETWORK}

echo "[INFO] Run journalctl -fu tmkms_${NETWORK} for logs..."

4. Setup validator machine

On validator machine

cd .secretd/config
modify validator config.toml
-> nano $HOME/.secretd/config/config.toml
-> priv_validator_laddr = "tcp://0.0.0.0:26659"
-> # priv_validator_key_file = "config/priv_validator_key.json"
-> # priv_validator_state_file = "data/priv_validator_state.json"
rm priv_validator_key.json
sudo ufw allow from {ip} to any port 26659
sudo systemctl restart secret-node && journalctl -fu secret-node
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment