Tezos on KMS

By Keefer Taylor and Luke Youngblood

Today, we’re open sourcing two libraries for working with Tezos keys stored in Amazon Web Service’s Key Management System (“AWS KMS”). These tools provide a security focused abstraction that allows developers to securely work with hot keys stored in the cloud.

Photo by Jan Antonin Kolar on Unsplash

About KMS

Before discussing the new libraries, some background on KMS may be useful.

AWS KMS is a cloud solution which provides hardware security modules (HSMs) on demand. HSMs are computer hardware that is hard wired to not allow key extraction. AWS KMS provides redundant and secure access to these keys across multiple geographic regions, while preventing key extraction or theft by rogue employees or malicious attackers.

KMS recently began to support the secp256k1 signing curving, which is used in Tezos and other cryptocurrencies. This development makes AWS KMS an enticing solution for securing keys which need to be online, highly available, and secure. Best of all, the service is cheap, costing only a few dollars a month to store and use a key.

Use in Harbinger Infrastructure

Harbinger price oracles (a secure on chain price feed) make use of AWS KMS extensively. Signers for Harbinger data feeds store their keys in KMS, where they are used to sign data feeds. The poster for Harbinger data on Tezos mainnet stores funds and signs and pays for an operation once an hour. For those curious, Keefer Taylor and Luke Youngblood talk extensively about how KMS is utilized in the Harbinger system in TezTalks 11.

Both of these services secure non-trivial amounts of value. In the signer’s case, malicious users could alter the price feed potentially affecting outcomes of DeFi instruments with arbitrarily high amounts of losses. In the poster’s case, live funds are secured on a hot wallet. Both services also require keys to be online constantly (to sign data feeds on demand in the case of the signer, or to pay for updates to the oracles in the case of the poster). KMS represents a secure solution that allows both of these services to function.

Generalized KMS Libraries

KMS proves to be a very useful and service to store Tezos keys, and we think other developers may find value in using this infrastructure for their own DeFi projects or services running on Tezos. We’ve generalized and extracted two TypeScript packages from the Harbinger infrastructure for re-use.

Tezos-KMS

The first package, Tezos-KMS, is targeted at Tezos developers who want a secure solution to store keys and sign arbitrary bytes.

The library provides a wrapper around a KMS key which allows retrieval of a public key, public key hash, and allows the key to sign arbitrary bytes. This library is modular, simple to use and easy to understand. Here’s a brief example of how to get started:

const kmsClient = new TezosKmsClient(awsKeyId, awsRegion)
await kmsClient.getPublicKey() // sppk…
await kmsClient.getPublicKeyHash() // tz2…
await kmsClient.signOperation(Buffer.from(‘deadbeef’, ‘hex’)) // <bytes>
await kmsClient.signOperationBase58(Buffer.from(‘deadbeef’, ‘hex’)) // spsig…

Conseil-KMS

The second package, Conseil-KMS, provides plug and play functionality for using Cryptonomic’s ConseilJS. ConseilJS provides modular interfaces for signing operations (called Signers) and working with keys (called Keystores).

Conseil-KMS provides an implementation of a Signer and KeyStore which is backed by a key stored in KMS. A developer using Conseil only needs to instantiate these new implementations and provide them to ConseilJS for use in operations. Here’s a quick example:

const signer = new KmsSigner(awsKeyId, awsRegion)
const keystore = KmsKeyStore.from(awsKeyId, awsRegion)
// This is a vanilla Conseil invocation with no 
// modification required
const result = await TezosNodeWriter.sendTransactionOperation(
 “https://rpctest.tzbeta.net", 
 signer, 
 keystore, 
 ‘tz1RVcUP9nUurgEJMDou8eW3bVDs6qmP5Lnc’, // Recipient
 500000, // Amount, in mutez
 1500 // Fee, in mutez
)

Conclusion

AWS KMS provides a compelling and secure solution for enterprise grade dApps and services who need hot, secure, and redundant key access for high value services.

These new libraries provide generic and reuseable interfaces for all Tezos developers. We look forward to continuing to build useful DeFi primitives and infrastructure for the Tezos ecosystem and welcome contributions, and feedback. Developers can check out the source code, fork or contribute to these libraries in their respective GitHub repos:

• Tezos-KMS: https://github.com/tacoinfra/tezos-kms
• Conseil-KMS: https://github.com/tacoinfra/conseil-kms

Also, Read

• The Best Crypto Trading Bot
• Crypto Copy Trading Platforms
• The Best Crypto Tax Software
• Best Crypto Trading Platforms
• Best Crypto Lending Platforms
• Best Blockchain Analysis Tools
• Crypto arbitrage guide: How to make money as a beginner
• Best Crypto Charting Tool
• Ledger vs Trezor
• What are the best books to learn about Bitcoin?
• 3Commas Review
• AAX Exchange Review | Referral Code, Trading Fee, Pros and Cons
• Deribit Review | Options, Fees, APIs and Testnet
• FTX Crypto Exchange Review
• NGRAVE ZERO review
• Bybit Exchange Review
• 3Commas vs Cryptohopper
• The Best Bitcoin Hardware wallet
• Best monero wallet
• ledger nano s vs x
• Bitsgap vs 3Commas vs Quadency
• Ledger Nano S vs Trezor one vs Trezor T vs Ledger Nano X
• BlockFi vs Celsius vs Hodlnaut
• Bitsgap review — A Crypto Trading Bot That Makes Easy Money
• Quadency Review- A Crypto Trading Bot Made For Professionals
• PrimeXBT Review | Leverage Trading, Fee and Covesting
• Ellipal Titan Review
• SecuX Stone Review
• BlockFi Review | Earn up to 8.6% interests on your Crypto