Download and Install
KMS Download and Install
Download KMS
We recommend that you run KMS from the Docker image regardless of the operating system used.
Tatum KMS should be installed in the Deny-From-All environment to meet the highest security standards.
Install KMS
Via npm
- Install KMS globally:
npm i -g @tatumio/tatum-kms //or yarn global add @tatumio/tatum-kms
- Use
.env
file to configure Tatum KMS- via
--env-file=/path/to/.env
tatum-kms --env-file=/path/to/.env getaddress 11111111-1111-1111-1111-111111111111 0
- via environment variables directly
TATUM_API_KEY=XXXXX-YOUR-API-KEY tatum-kms --help
- via predefined environment vars on global level
export TATUM_API_KEY=XXXXX-YOUR-API-KEY tatum-kms --help
IMPORTANT! NodeJS >=14 and npm@6 are required. KMS does not work on npm@7.
- via
Via Docker
- Pull the
tatum-kms
image:docker pull tatumio/tatum-kms
- Navigate to the home directory:
cd $HOME
- Use pre-created
.env
file to configure Tatum KMS via--env-file .env
- Map the Docker volume to the local storage (your home folder).
- For more details, refer to the Docker user documentation.
- Once you have mapped the Docker volume, KMS is ready to be run as a Docker container.
To interactively communicate with KMS and run various KMS commands, use the docker run
command:
docker run -it --env-file .env -v $HOME:/root/.tatumrc tatumio/tatum-kms --help
docker run -it --env-file .env -v $HOME:/root/.tatumrc tatumio/tatum-kms generatemanagedwallet BTC
docker run -it --env-file .env -v $HOME:/root/.tatumrc tatumio/tatum-kms storemanagedprivatekey BTC
//NOTE: You can shorten the command syntax and use it as follows:
docker run ${COMMON_PARAMS} tatumio/tatum-kms generatemanagedwallet BTC
//where COMMON_PARAMS can be exported as all the flags necessary for running the container.
Enabling the Four-eye Principle
- Set up an Application Server that will hold the list of valid transactions to sign. This is usually your Production Environment.
- Add the
external-url
parameter and set it to your Application Server. This server should hold the list of valid transactions to sign.
tatum-kms daemon --external-url=http://192.168.57.63
Observations
- The Four-eye Principle is mandatory in Mainnet
Good to know
- It is possible to store private keys locally or using an external service:
- After you generate and store the wallets you want to work with, enable daemon mode. Daemon mode periodically checks for pending transactions to sign.
- Every pending transaction has a
signatureId
. When a pending transaction matches a stored wallet, it is signed locally and sent to the blockchain. Your wallet data are stored only in memory.
KMS supports the 4 eye control mechanism, where pending transactions are controlled in Tatum and the customer system. By default, KMS checks for the pending transactions every 5 seconds using the following REST API call.
Updated 18 days ago