Key Management System for Cosmos Validators.
https://cosmos.network/
This repository contains tmkms, a lightweight service intended to be deployed
alongside the gaiad service (ideally on separate physical hosts) which provides
the following:
Tendermint KMS is currently alpha quality. It supports YubiHSM2-backed
signing when used in conjunction with cosmos-sdk 0.26.
It does NOT yet implement double signing prevention or high availability features. These are planned features which will be implemented soon.
tmkms should build on any [supported Rust platform] which is also supported
by [libusb]. Below are some of the available tier 1, 2, and 3 Rust platforms
which are also supported by libusb.
NOTE: tmkms is presently tested on Linux/x86_64. We don't otherwise guarantee
support for any of the platforms below, but they theoretically meet the necessary
prerequisites for support.
x86_64 (recommended)arm (32-bit ARM)aarch64 (64-bit ARM)mips (32-bit MIPS)mips64 (64-bit MIPS)powerpc (32-bit PowerPC)powerpc64 (64-bit PowerPC)sparc64 (64-bit SPARC)You will need the following prerequisites:
apt install libusb-1.0-0-devyum install libusb1-develbrew install libusbTo install tmkms, do the following:
RUSTFLAGS environment variable: export RUSTFLAGS=-Ctarget-feature=+aescargo tool:
$ cargo install tmkms
tmkms.toml file to a local directory (e.g. ~/.tmkms):https://github.com/tendermint/kms/blob/master/tmkms.toml.example
Edit it to match your desired configuration.
Start tmkms with the following:
$ tmkms start
This will read the configuration from the tmkms.toml file in the current
working directory.
To explicitly specify the path to the configuration, use the -c flag:
$ tmkms start -c /path/to/tmkms.toml
YubiHSM2 devices from Yubico are the main HSM solution supported by Tendermint KMS at this time (Ledger support forthcoming!)
The tmkms yubihsm subcommand provides YubiHSM2 setup, information, and
testing features:
tmkms yubihsm detect - list all YubiHSM2 devices detected via USBtmkms yubihsm keys - manage keys on the device
tmkms yubihsm keys generate <id> - generate an Ed25519 signing key with the given ID number (e.g. 1)tmkms yubihsm keys list - list all Ed25519 signing keys in the YubiHSM2tmkms yubihsm keys test <id> - perform a signing test using the given keyThe following are instructions for setting up a development environment. They assume you've already followed steps 1 & 2 from the Installation section above (i.e. installed rustup and the noted nightly Rust released).
rustup component add rustfmt-previewrustup component add clippy-previewAlternatively, you can build a Docker image from the [Dockerfile] in the top level of the repository, which is what is used to run tests in CI.
Before opening a pull request, please run the checks below:
Run the test suite with:
cargo test --all-features
Make sure your code is well-formatted by running:
cargo fmt
Lint your code (i.e. check it for common issues) with:
cargo clippy
Copyright © 2018 Tendermint
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.