🗒️
Hanchon.live Random Notes
/
🛡️
Workshop: From Zero to Validator
/
⌨️
Set up Tendermint KMS
Search
Duplicate
Try Notion
⌨️
Set up Tendermint KMS
Tendermint KMS (tmkms) is a software that we’ll use to sign our blocks, this is a secure way to avoid double signing.
NOTE: double signing is signing more than one time for the same block. In practice, it is actually to sign a round more than once, because the block generation process can take several rounds of signature between all the validators until it reaches consensus.
For our configuration we are going to run tmkms locally to the evmosd binary, but in production you probably want to have it in a separate server so it’s easier to switch your evmosd nodes without the risk of having 2 instances of tmkms running at the same time and double sign.
Install the software
Build locally (recommended for production)
NOTE: we are not going to use this method because it takes forever to build in our small virtual machines.
Rust and C++ compilers are needed.
sudo apt install rustc curl build-essential gcc make cargo -y cargo install tmkms --features=softsign
Bash
Add the cargo bin folder to your path:
nano ~/.bashrc # add this line to the end of the file PATH=$HOME/.cargo/bin:$PATH # close the editor with control + X, then Y to save
Bash
Note that we are building the tmkms with the feature softsign, this feature will allow us to sign blocks using software. It’s not the most secure way to do it because your keys can be stolen if someone access your server but it’s the most practical way to do it when renting online hardware.
If you are running your own local hardware, you can connect a ledger device and sign all the blocks using your hardware wallet connected to tmkms .
Running your own hardware has its problems, because you need to have backups for your ISP and electricity. Being offline more than 16 hours in the Evmos chain will get you out of the active set and slash some of the stake assigned to your validator. (Your and your delegators coins).
Download a tmkms already built for our virtual machine
In order to avoid wasting time waiting for tmkms to compile, I already compile the program and pushed it to a Github repo.
cd git clone https://github.com/hanchon/validator_workshop_files.git cd validator_workshop_files cp ./tmkms ~ # check that it is working ~/tmkms version # 0.12.2
Bash
Set up your Evmos configuration
we are going to use evmosd to init our data folder (~/.evmosd/). It will safety create the validators keys that we’ll need to use for the tmkms import process.
You can use any moniker that you want for this step.
~/evmosd init <moniker> --chain-id evmos_9999-1
Bash
Let’s make sure that the priv_validator_key.json file was generated.
cat ~/.evmosd/config/priv_validator_key.json # { # "address": "24FFE3346E31B9700BE68036D01213BE28C6F90F", # "pub_key": { # "type": "tendermint/PubKeyEd25519", # "value": "T4vFziyyehxdsSYj2ylyYI+w7KdcG2Dta3Gq5YfXgNE=" # }, # "priv_key": { # "type": "tendermint/PrivKeyEd25519", # "value": "ykuMEN3SmB761LLRls4okGSkmBdg6C37AJ0MN3Qi0S9Pi8XOLLJ6HF2xJiPbKXJgj7Dsp1wbYO1rcarlh9eA0Q==" # }
Bash
Set up tmkms
Init:
mkdir -p $HOME/tmkms_config/evmos ~/tmkms init $HOME/tmkms_config/evmos
Bash
Configuration:
cd ~/tmkms_config/evmos # delete the configuration file rm tmkms.toml # let's create one with the correct configuration nano tmkms.toml
Bash
tmkms.toml content:
# Tendermint KMS configuration file ## Chain Configuration ### Cosmos Hub Network [[chain]] id = "evmos_9999-1" key_format = { type = "bech32", account_key_prefix = "evmospub", consensus_key_prefix = "evmosvalconspub" } state_file = "/home/evmos/tmkms_config/evmos/state/evmos-state.json" ## Signing Provider Configuration ### Software-based Signer Configuration [[providers.softsign]] chain_ids = ["evmos_9999-1"] key_type = "consensus" path = "/home/evmos/tmkms_config/evmos/secrets/evmos-consensus.key" ## Validator Configuration [[validator]] chain_id = "evmos_9999-1" addr = "tcp://127.0.0.1:26658" secret_key = "/home/evmos/tmkms_config/evmos/secrets/kms-identity.key" protocol_version = "v0.34" reconnect = true
Bash
NOTE: we are using /home/evmos because all the users for the workshop are called evmos, in production the path should match your username.
To avoid problems with the configuration we must use full path.
Import secrets:
~/tmkms softsign import $HOME/.evmosd/config/priv_validator_key.json ~/tmkms_config/evmos/secrets/evmos-consensus.key
Bash
Now it’s a good time to backup your priv_validator_key.json in a secure place and after that you can remove the file from your system.
It’s HIGHLY RECOMMENDED to remove the .json file from your system, to be 100% sure that you are not going to be double signing blocks if you miss any configuration on evmosd . If the tmkmsendpoint is not set in the node configuration, it won’t start instead of risking double signatures.
Run tmkms:
Run the tmkms in a screen
screen -S tmkms ~/tmkms start -c ~/tmkms_config/evmos/tmkms.toml # It will log erros because our evmosd node is not running yet # deattach the screen with control + a + d
Bash
We can keep terminal sessions alive using screen or tmux , running it as a service is preferred for production because it’s going to auto restart in case of failure.
Alternative option to screen:
Create the tmkms service
# file /etc/systemd/system/tmkms-evmos.service [Unit] Description=tmkms evmos service After=network.target StartLimitIntervalSec=0 [Service] Type=simple Restart=always RestartSec=10 User=evmos ExecStart=/home/evmos/tmkms start -c /home/evmos/tmkms_config/evmos/tmkms.toml LimitNOFILE=1024 [Install] WantedBy=multi-user.target
Bash
Start the service
sudo systemctl daemon-reload sudo systemctl start tmkms-evmos sudo systemctl enable tmkms-evmos sudo systemctl status tmkms-evmos # Read the logs: sudo journalctl -u tmkms-evmos.service
Bash