BlockX Documentation
  • Introduction
    • BlockX
    • Tokens
    • Transactions
    • Inflation
    • Keys
      • Keyring
      • Multisig
    • Gas Fees
    • Wallet and Accounts
      • Adding BlockX to Metamask
      • Adding BlockX to Keplr
      • Transfers Between Wallets
      • Backup
    • Deploying Smart Contracts
      • Remix
      • Hardhat
  • BlockX White Paper
  • The BCX Token
  • Governance
    • Proposals
      • Proposal Tips
      • Submit a Proposal
    • Community Pool
    • Chain Parameters
  • Technical Concepts
    • Architecture
    • Accounts
    • Chain ID
    • Encoding
    • Pending State
  • dApp Developers
    • Establishing Connections
    • BlockX Clients
    • Guides
      • Wallet Integration
      • Smart Contract Incentive Registration
      • Tracing Transactions
      • Query Balances
    • Localnet
      • Single-node
      • Multi-node
    • Testnet
      • Testnet Commands
    • Ethereum JSON-RPC
      • JSON-RPC Server
      • Running the Server
      • Namespaces
      • JSON-RPC Methods
      • Events
    • Tendermint RPC
  • Protocol Developers
    • Modules
      • auth
        • Concepts
        • State
        • AnteHandlers
        • Keepers
        • Vesting
        • Parameters
        • Client Auth
      • bank
        • State
        • Keepers
        • Messages
        • Events
        • Parameters
        • Client
      • crisis
        • State
        • Messages
        • Events
        • Parameters
        • Client
      • distribution
        • Concepts
        • State
        • Begin Block
        • Messages
        • Hooks
        • Events
        • Parameters
        • Client
      • epochs
        • Concepts
        • State
        • Events
        • Keepers
        • Hooks
        • Queries
        • Future Improvements
      • erc20
        • Concepts
        • State
        • State Transitions
        • Transactions
        • Hooks
        • Events
        • Parameters
        • Clients
      • evidence
        • Concepts
        • State
        • Messages
        • Events
        • Parameters
        • BeginBlock
        • Client
      • evm
        • Concepts
        • State
        • State Transitions
        • Transactions
        • ABCI
        • Hooks
        • Events
        • Parameters
        • Client
      • feemarket
        • Concepts
        • State
        • Begin block
        • End block
        • AnteHandlers
        • Keeper
        • Events
        • Client
        • Future Improvements
        • Parameters
      • feesplit
        • Concepts
        • State
        • State Transitions
        • Transactions
        • Hooks
        • Events
        • Parameters
        • Clients
        • Future Improvements
      • gov
        • Concepts
        • State
        • Messages
        • Events
        • Future Improvements
        • Parameters
        • Client
      • incentives
        • Concepts
        • State
        • State Transitions
        • Transactions
        • Hooks
        • Events
        • Parameters
        • Clients
      • ibc-core
      • inflation
        • Concepts
        • State
        • Hooks
        • Events
        • Parameters
        • Clients
      • slashing
        • Concepts
        • State
        • Messages
        • BeginBlock
        • Hooks
        • Events
        • Staking Tombstone
        • Parameters
        • CLI
      • staking
        • State
        • State Transitions
        • Messages
        • Begin-Block
        • End-Block
        • Hooks
        • Events
        • Parameters
        • Client
      • upgrade
        • Concepts
        • State
        • Events
        • Client
        • Resources
      • vesting
        • Concepts
        • State
        • State Transitions
        • Transactions
        • AnteHandlers
        • Events
        • Clients
    • Module Accounts
    • IBC Channels
    • Ethermint API
  • Validators
    • Quick Start
    • Telemetry
    • Security
      • Tendermint KMS
      • Tendermint KMS + Ledger
      • Validator Security Checklist
      • Validator Backup
    • Snapshots, Archive Nodes
    • FAQ
  • Delegators
    • Staking Process
  • Tokenomics
  • Block Explorers
Powered by GitBook
On this page
  • Checklist
  • Tendermint Validator app
  • KMS configuration
  • BlockX configuration
  1. Validators
  2. Security

Tendermint KMS + Ledger

PreviousTendermint KMSNextValidator Security Checklist

Last updated 2 years ago

Checklist

The following instructions are a brief walkthrough and not a comprehensive guideline. You should consider and research more about the of activating an external KMS.

  • Ledger or device

  • installed

  • Tendermint app installed (only in Developer Mode)

  • Latest Versions (Firmware and Tendermint app)

Tendermint Validator app

IMPORTANT: KMS and Ledger Tendermint app are currently work in progress. Details may vary. Use under your own risk

You should be able to find the Tendermint app in Ledger Live.

You will need to enable Developer Mode in Ledger Live Settings in order to find the app.

KMS configuration

In this section, we will configure a KMS to use a Ledger device running the Tendermint Validator App.

Config file

You can find other configuration examples

  • Create a ~/.tmkms/tmkms.toml file with the following content (use an adequate chain_id)

# Example KMS configuration file
[[validator]]
addr = "tcp://localhost:26658"                  # or "unix:///path/to/socket"
chain_id = "blockx_12345-1"
reconnect = true                                # true is the default
secret_key = "~/.tmkms/secret_connection.key"

[[providers.ledger]]
chain_ids = ["blockx_9001-1"]
  • Edit addr to point to your blockxd instance.

  • Adjust chain-id to match your .blockxd/config/config.toml settings.

  • provider.ledger has not additional parameters at the moment, however, it is important that you keep that header to enable the feature.

Plug your Ledger device and open the Tendermint validator app.

Generate secret key

Now you need to generate a secret_key:

tmkms keygen ~/.tmkms/secret_connection.key

Retrieve validator key

The last step is to retrieve the validator key that you will use in blockxd.

Start the KMS:

tmkms start -c ~/.tmkms/tmkms.toml

The output should look similar to:

07:28:24 [INFO] tmkms 0.11.0 starting up...
07:28:24 [INFO] [keyring:ledger:ledger] added validator key blockxvalconspub1zcjduepqy53m39prgp9dz3nz96kaav3el5e0th8ltwcf8cpavqdvpxgr5slsd6wz6f
07:28:24 [INFO] KMS node ID: 1BC12314E2E1C29015B66017A397F170C6ECDE4A

The KMS may complain that it cannot connect to blockxd. That is fine, we will fix it in the next section. This output indicates the validator key linked to this particular device is: blockxvalconspub1zcjduepqy53m39prgp9dz3nz96kaav3el5e0th8ltwcf8cpavqdvpxgr5slsd6wz6f Take note of the validator pubkey that appears in your screen. We will use it in the next section.

BlockX configuration

You need to enable KMS access by editing .blockxd/config/config.toml. In this file, modify priv_validator_laddr to create a listening address/port or a Unix socket in blockxd.

For example:

...
# TCP or UNIX socket address for Tendermint to listen on for
# connections from an external PrivValidator process
priv_validator_laddr = "tcp://127.0.0.1:26658"
...

Let's assume that you have set up your validator account and called it kmsval. You can tell blockxd the key that we've got in the previous section.

blockxd gentx --name kmsval --pubkey <pub_key>

Now start blockxd. You should see that the KMS connects and receives a signature request.

Once the Ledger device receives the first message, it will ask for confirmation that the values are adequate. Click the right button, if the height and round are correct. After that, you will see that the KMS will start forwarding all signature requests to the Ledger app.

security implications
Nano X
Nano S
Ledger Live
here