Tendermint KMS + Ledger
Checklist
The following instructions are a brief walkthrough and not a comprehensive guideline. You should consider and research more about the security implications of activating an external KMS.
Ledger Live installed
Tendermint app installed (only in
Developer Mode
)Latest Versions (Firmware and Tendermint app)
Tendermint Validator app
IMPORTANT: KMS and Ledger Tendermint app are currently work in progress. Details may vary. Use under your own risk
You should be able to find the Tendermint app in Ledger Live.
You will need to enable Developer Mode
in Ledger Live Settings
in order to find the app.
KMS configuration
In this section, we will configure a KMS to use a Ledger device running the Tendermint Validator App.
Config file
You can find other configuration examples here
Create a
~/.tmkms/tmkms.toml
file with the following content (use an adequatechain_id
)
Edit
addr
to point to yourmnovad
instance.Adjust
chain-id
to match your.mnovad/config/config.toml
settings.provider.ledger
has not additional parameters at the moment, however, it is important that you keep that header to enable the feature.
Plug your Ledger device and open the Tendermint validator app.
Generate secret key
Now you need to generate a secret_key
:
Retrieve validator key
The last step is to retrieve the validator key that you will use in mnovad
.
Start the KMS:
The output should look similar to:
The KMS may complain that it cannot connect to mnovad
. That is fine, we will fix it in the next section. This output indicates the validator key linked to this particular device is: mnovavalconspub1zcjduepqy53m39prgp9dz3nz96kaav3el5e0th8ltwcf8cpavqdvpxgr5slsd6wz6f
Take note of the validator pubkey that appears in your screen. We will use it in the next section.
MNova configuration
You need to enable KMS access by editing .mnovad/config/config.toml
. In this file, modify priv_validator_laddr
to create a listening address/port or a Unix socket in mnovad
.
For example:
Let's assume that you have set up your validator account and called it kmsval
. You can tell mnovad the key that we've got in the previous section.
Now start mnovad
. You should see that the KMS connects and receives a signature request.
Once the Ledger device receives the first message, it will ask for confirmation that the values are adequate. Click the right button, if the height and round are correct. After that, you will see that the KMS will start forwarding all signature requests to the Ledger app.
Last updated