Download and Install KMS

Download KMS


We recommend that you run KMS from the Docker image regardless of the operating system used.


Tatum KMS should be installed in the Deny-From-All environment to meet the highest security standards.

Install KMS

From npm

  1. Install KMS globally:
    npm i -g @tatumio/tatum-kms
    yarn global add @tatumio/tatum-kms
  2. Use .env file to configure Tatum KMS
    1. via --env-file=/path/to/.env
       tatum-kms --env-file=/path/to/.env getaddress 11111111-1111-1111-1111-111111111111 0
    2. via environment variables directly
      TATUM_API_KEY=XXXXX-YOUR-API-KEY tatum-kms --help
    3. via predefined environment vars on global level
      tatum-kms --help


      IMPORTANT! NodeJS >=14 and npm@6 are required. KMS does not work on npm@7.

From Docker

  1. Pull the tatum-kms image:
    docker pull tatumio/tatum-kms
  2. Navigate to the home directory:
    cd $HOME
  3. Use pre-created .env file to configure Tatum KMS via --env-file .env
  4. Map the Docker volume to the local storage (your home folder).
    1. For more details, refer to the Docker user documentation.
    2. Once you have mapped the Docker volume, KMS is ready to be run as a Docker container.

To interactively communicate with KMS and run various KMS commands, use the docker run command:

docker run -it --env-file .env -v $HOME:/root/.tatumrc tatumio/tatum-kms --help
docker run -it --env-file .env -v $HOME:/root/.tatumrc tatumio/tatum-kms generatemanagedwallet BTC
docker run -it --env-file .env -v $HOME:/root/.tatumrc tatumio/tatum-kms storemanagedprivatekey BTC

//NOTE: You can shorten the command syntax and use it as follows:
docker run ${COMMON_PARAMS} tatumio/tatum-kms generatemanagedwallet BTC
//where COMMON_PARAMS can be exported as all the flags necessary for running the container.

Good to know

  1. It is possible to store private keys locally or using an external service:
    1. Azure Key Vault
    2. VGS
    3. AWS Secrets Management
  2. After you generate and store the wallets you want to work with, enable daemon mode. Daemon mode periodically checks for pending transactions to sign.
  3. Every pending transaction has a signatureId. When a pending transaction matches a stored wallet, it is signed locally and sent to the blockchain. Your wallet data are stored only in memory.


KMS supports the 4 eye control mechanism, where pending transactions are controlled in Tatum and the customer system. By default, KMS checks for the pending transactions every 5 seconds using the following REST API call.