Intro
TMKMS — tendermint key management system. Provides isolated signing key management for Tendermint applications including validators, oracles, IBC relayers, and other transaction signing applications.
What this means is that you can safely store your validator key separately from your validator node and continue to sign blocks.
For this experiment you will need to have 2 hosts: one that will be running neutron chain (validator node) and the other that will be signing blocks (tmkms node). You can use the same server you are using now for your validator node and get a new one for tmkms. Tmkms host doesn’t consume much resources, so it can be anything starting from 1cpu/1gb ram.
Install tmkms
After connecting to the tmkms node ( not the validator node ) let’s install all the required dependencies
sudo apt update && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh && \
source $HOME/.cargo/env && \
sudo apt install git build-essential ufw curl jq snapd --yes && \
apt install libusb-1.0-0-dev && \
export RUSTFLAGS=-Ctarget-feature=+aes,+ssse3Let’s download and compile tmkms source code
cd $HOME && \
git clone https://github.com/iqlusioninc/tmkms.git && \
cd $HOME/tmkms && \
cargo install tmkms --features=softsign && \
tmkms init config && \
tmkms softsign keygen ./config/secrets/secret_connection_keyNote that we are using --features=softsign. For better security ledger / yubihsm alternatives should be considered.
Now lets copy your priv_validator_key.json to ~/tmkms/config/secrets and import it like this:
tmkms softsign import $HOME/tmkms/config/secrets/priv_validator_key.json $HOME/tmkms/config/secrets/priv_validator_keyNext we should update config file $HOME/tmkms/config/tmkms.toml to look like this
[[chain]]
id = "quark-1"
key_format = { type = "cosmos-json", account_key_prefix = "neutronpub", consensus_key_prefix = "neutronvalconspub" }
state_file = "/root/tmkms/config/state/priv_validator_state.json"
[[providers.softsign]]
chain_ids = ["quark-1"]
key_type = "consensus"
path = "/root/tmkms/config/secrets/priv_validator_key"
[[validator]]
chain_id = "quark-1"
addr = "tcp://65.21.107.203:688" # validator tcp://ip:port
secret_key = "/root/tmkms/config/secrets/secret_connection_key"
protocol_version = "v0.34"
reconnect = trueMake sure to use your validator ip for addr option.
Update validator node config
At your valicator node set priv_validator_laddr in $HOME/.neutrond/config/config.toml to have a proper port, specified in tmkms.toml in validator node.
Comment out priv_validator_key_file and priv_validator_state_file in the same file.
Start signing with TMKMS
Stop your validator node, you can also rename or move priv_validator_key.json to another place.
Start tmkms process by running (note it is much more reliable to run it as a service)
tmkms start -c $HOME/tmkms/config/tmkms.tomlYou should see the following logs for tmkms node.
After your neutron node is started, tmkms logs should be like this
Remove priv_validator_key.jsonfrom your validator and tmkms nodes, store it safely offline. And that’s it, now you are signing blocks from another node.
Observations
I’ve being testing it for several days, noticed minor uptime drop, around 0.02%. For the tmkms node I was using 3vcpu/4gb ram host located in Germany, while my neutron node was located in Helsinki. Suspect, that having both nodes in one dc would decrease uptime drop.
Resource utilization for tmkms node can be found below
The only minor difference is traffic increase around 16:00 which was expected
