Tendermint_KMS
Neutron Create Validator High Availability with Tendermint KMS
Terndermint KMS is Key Management System for Tendermint applications such as Cosmos Validators. This repository contains tmkms, a key management service intended to be deployed in conjunction with Tendermint applications (ideally on separate physical hosts) which provides the following:
High-availability access to validator signing keys
Double-signing prevention even in the event the validator process is compromised
Hardware security module storage for validator keys which can survive host compromise
So lets start to begin.
Prerequisites
We recommended you to run KMS service in a separate machine. Becasue this service work for just in case if your another validators down, you have a backup validator.
OS
Linux Ubuntu 20.04
CPU Architectures
X86_64
Install All Dependencies
Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
GCC
sudo apt update -y
sudo apt install git build-essential ufw curl jq snapd -y
Libusb
apt install libusb-1.0-0-dev
export RUSTFLAGS=-Ctarget-feature=+aes,+ssse3
Install & Setup TMKMS
cd $HOME
git clone https://github.com/iqlusioninc/tmkms.git
cd $HOME/tmkms
cargo install tmkms --features=softsign
tmkms init config
tmkms softsign keygen ./config/secrets/secret_connection_key
Copy your validator keys from Your Node Server
rsync -Pavz root@(your_node_ip):~/.neutrond/config/priv_validator_key.json ~/tmkms/config/secrets
Change your_node_ip with your Node Public IP Address.
import validator key into tmkms
tmkms softsign import $HOME/tmkms/config/secrets/priv_validator_key.json $HOME/tmkms/config/secrets/priv_validator_key
Config tmkms to Neutron Testnet Chain ID
nano $HOME/tmkms/config/tmkms.toml
# Tendermint KMS configuration file
## Chain Configuration
### Cosmos Hub Network
[[chain]]
id = "quark-1"
key_format = { type = "cosmos-json", account_key_prefix = "neutronpub", consensus_key_prefix = "neutronvalconspub" }
state_file = "/root/tmkms/config/state/priv_validator_state.json"
## Signing Provider Configuration
### Software-based Signer Configuration
[[providers.softsign]]
chain_ids = ["quark-1"]
key_type = "consensus"
path = "/root/tmkms/config/secrets/priv_validator_key"
## Validator Configuration
[[validator]]
chain_id = "quark-1"
addr = "tcp://(your_node_ip):688" # your validator node ip and port
secret_key = "/root/tmkms/config/secrets/secret_connection_key"
protocol_version = "v0.34"
reconnect = true
Create Service for TMKMS
sudo tee /etc/systemd/system/tmkms.service > /dev/null <<EOF
[Unit]
Description=tmkms
After=network-online.target
[Service]
User=$USER
ExecStart=$(which tmkms) start -c $HOME/tmkms/config/tmkms.toml
Restart=on-failure
RestartSec=3
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
EOF
Access and Modify Your Config Node and Validator
nano $HOME/.neutrond/config/config.toml
Add into config.toml
priv_validator_laddr = "tcp://0.0.0.0:688"
Comment or remark this
# Path to the JSON file containing the private key to use as a validator in the consensus protocol
# priv_validator_key_file = "config/priv_validator_key.json"
# Path to the JSON file containing the last sign state of a validator
# priv_validator_state_file = "data/priv_validator_state.json"
Restart Neutrond Services
systemctl restart neuntrond && sudo journalctl -u neuntrond -f -o cat
Go back to your KMS Server and start tmkms service
sudo systemctl daemon-reload
sudo systemctl enable tmkms
sudo systemctl restart tmkms && sudo journalctl -u tmkms -f -o cat
Congrats, You should now be signing blocks! If you cancel the TMKMS process, you will no longer sign blocks and will stop syncing. If you restart the TMKMS process, your validator node will continue to sync from where it left off.
How To Check Result
Check on Your Node Validator Server, if that showing your Address and Pubkey that Successfully
neutrond status 2>&1 | jq .ValidatorInfo
Check On Tendermint KMS Server, find and search this "state connected to validator successfully" after you start kms services
journalctl -u tmkms -f -o cat
Last updated