KMS - Security Basics

General Best Practises

  • Ensure access to keys is restricted
  • Ensure the 4-eye principle is enabled (Mandatory in Mainnet)
  • Ensure KMS runs in Docker within a secure Cloud or on-premise environment, separate from the Application
  • Ensure regular withdrawals to Cold/Hardware Wallet and managed in local Database as a custodial solution
  • Enforce access policy to the KMS environment
  • Ensure backups and due diligence at handling "wallet.dat"
  • Set up access system to KMS via hardware devices. E.g., Yubikey
  • Create a monitoring and alert system for unusual activity
  • Create Reporting Systems for withdrawals and anomalies


The steps outlined in this article are general suggestions based on best practices. Additional security measures and verifications may apply depending on a specific use case or the legal requirements of the User's country.

By using KMS, it is assumed that you, the User, hold extensive blockchain knowledge and are an experienced developer.

  • Tatum does not store PrivateKeys and or Mnemonics.
  • KMS is a self-custodial solution. Tatum does not have access to the user's KMS, by design.
  • The wallet storage is encrypted with an AEC cipher and is stored on your local server. You must enter the password to unlock a wallet storage.
    • The password you, the User, set encrypts Mnemonics and PrivateKeys inside the file wallet storage.
    • The default wallet storage name is "wallet.dat".
  • Signing transactions with KMS largely prevents Tatum from troubleshooting failed transactions. Here's why:
    1. A transaction sent to KMS for signature and broadcast to the blockchain may be malformed, yet get a "successful" response from core-API or the SDK. Tatum does not store Payload logs, by design, from "successful" requests.
    2. KMS will sign the transaction and broadcast it to the blockchain.
    3. If the blockchain rejects the transaction, you will get an error back to your KMS coming from the blockchain.


      You, the User, will have to keep track of the original request log, including the payload, if you expect Tatum to help you troubleshoot potential reasons for your transaction(s) to fail.


Losing the file "wallet.dat" can be catastrophic. The responsibility for keeping the file "wallet.dat" secure rests solely with you, the User. If this file is lost or becomes irrecoverable, you will lose access to your Mnemonics and PrivateKeys. Tatum cannot help you.


If you lose your KMS password, you will lose access to your Mnemonics and PrivateKeys. Tatum cannot help you.