Announcing Tendermint KMS v0.8.0: transaction signing support, Tendermint v0.33+ compatibility, init command

By Tony Arcieri

The iqlusion team has just released a new version of Tendermint KMS (tmkms): v0.8.0. Tendermint KMS is a signature service with support for Hardware Security Modules (HSMs), such as YubiHSM2 and Ledger Nano . It’s intended to be run alongside Cosmos Validators, ideally on separate physical hosts, providing defense-in-depth for online validator signing keys, double signing protection, and functioning as a central signing service that can be used when operating multiple validators in several Cosmos Zones.

This release includes some interesting new features which we’re excited to share with you, along with important bugfixes.

For installation instructions and more details, please see the Tendermint KMS repository on GitHub:

Transaction Signing Support (alpha) #


The most exciting feature in this release is newly added support for signing transactions (in the StdTX format used by many Tendermint chains) using an account key managed by the KMS. The YubiHSM2 and “Soft Sign” (on-host) key backends now both support account keys and transaction signing (see the tmkms#105 issue on GitHub regarding Ledger support).

We think this functionality has many potential applications, with oracle signing being the foremost. At iqlusion, we’re using this functionality in production to operate a Terra price oracle in conjunction with our (work-in-progress) oracle feeder software Delphi.

Since Tendermint KMS is designed to support multiple Tendermint chains which each define their own transaction message types, we’ve implemented transaction signing in such a way that the schema for any particular chain’s transactions can be defined using configuration files alone.

Best of all, as seen in the diagram above, the KMS automates the work of monitoring chain state and submitting signed transactions for broadcast to the chain. This means writing a service which produces transactions to be signed is as easy as exposing an HTTP service which provides unsigned transactions in Amino JSON format, and the KMS handles the rest.

All that said, the feature is in an alpha state. Many things are also in flux: newer versions of Tendermint will migrate to a different transaction encoding (based on Protocol Buffers, versus the current Amino). If you want to be an eager early adopter, great, but expect there to be many changes.

For more information on this feature, please see the file in the Tendermint KMS repo.

Tendermint v0.33+ compatibility (Secret Connection handshake changes) #

Tendermint v0.33 introduced breaking changes to the Secret Connection protocol used to encrypt the connection between the KMS and a validator.

This release supports both the old and new protocol versions, allowing you to mix and match using chains with the legacy protocol (e.g. Cosmos Hub) with ones running the Tendermint v0.33+ protocol.

If you want to use the KMS with a newer chain, use the following configuration setting in tmkms.toml:

addr = "tcp://..."
protocol_version = "v0.33" # "legacy" is the default

New command: tmkms init #

A commonly requested feature, we’ve introduced a command for first-time setup of Tendermint KMS similar to gaiad init which will create a directory containing initial configuration files along with automatically generating the necessary encryption keys:

$ tmkms init /home/tmkms
    Creating /home/tmkms
   Generated KMS configuration: /home/tmkms/tmkms.toml
   Generated Secret Connection key: /home/tmkms/secrets/kms-identity.key

Best of all, the configuration it generates is customized based on the signing providers you have enabled (e.g. if the softsign provider is enabled, it will automatically make you a consensus key)

Roadmap #

Going forward, we plan on continuing to evolve Tendermint KMS along with the rest of the Tendermint ecosystem and enhancing it with new features.

The upcoming Stargate upgrade will both enable many new possibilities in the KMS as well as requiring certain changes (e.g. Protobufs).
The Post-Stargate Roadmap (tmkms:#96) tracking issue on the Tendermint KMS GitHub repo describes some of these changes.

We are looking forward to migrating away from legacy Secret Connection/Amino-based protocols and embracing gRPC, both for validator connections from the KMS as well as using it with the Transaction Signer.

Finally, we are considering adding support for signing Ethereum transactions, which has a number of useful applications including Ethereum oracles and other things which could potentially be useful for cross-chain interactions (e.g. IBC).

Bugfixes and changelog #

In addition to new feature work, this release also includes a number of bugfixes and other minor enhancements.

We hope it may potentially address a longstanding deadlock problem that several users have reported in the past (or if it doesn’t, this release comes with considerably more diagnostic information).

Full changelog below:

Added #

Changed #


Now read this

Postmortem: 2019-08-07 Tendermint KMS-related Cosmos Hub Validator Incident

Last night and early this morning we encountered a series of small outages in iqlusion’s Cosmos Hub validator related to a recently released version of Tendermint KMS: v0.6.1. We are the primary contributors to Tendermint KMS and... Continue →