KMS Security Basics

General Best Practises

  • Ensure access to keys is restricted
  • Ensure the 4-eye principle is enabled (Mandatory in Mainnet)
  • Ensure KMS runs in Docker within a secure Cloud or on-premise environment, separate from the Application
  • Ensure regular withdrawals to Cold/Hardware Wallet and managed in local Database as a custodial solution
  • Enforce access policy to the KMS environment
  • Ensure backups and due diligence at handling "wallet.dat"
  • Set up access system to KMS via hardware devices. E.g., Yubikey
  • Create a monitoring and alert system for unusual activity
  • Create Reporting Systems for withdrawals and anomalies

Disclaimer

The steps outlined in this article are general suggestions based on best practices. Additional security measures and verifications may apply depending on a specific use case or the legal requirements of the User's country.

By using KMS, it is assumed that you, the User, hold extensive blockchain knowledge and are an experienced developer.

  • Tatum does not store PrivateKeys and or Mnemonics.
  • KMS is a self-custodial solution. Tatum does not have access to the user's KMS, by design.
  • The wallet storage is encrypted with an AEC cipher and is stored on your local server. You must enter the password to unlock a wallet storage.
    • The password you, the User, set encrypts Mnemonics and PrivateKeys inside the file wallet storage.
    • The default wallet storage name is "wallet.dat".
  • Signing transactions with KMS largely prevents Tatum from troubleshooting failed transactions. Here's why:
    1. A transaction sent to KMS for signature and broadcast to the blockchain may be malformed, yet get a "successful" response from core-API or the SDK. Tatum does not store Payload logs, by design, from "successful" requests.
    2. KMS will sign the transaction and broadcast it to the blockchain.
    3. If the blockchain rejects the transaction, you will get an error back to your KMS coming from the blockchain.

      🚧

      Attention

      You, the User, will have to keep track of the original request log, including the payload, if you expect Tatum to help you troubleshoot potential reasons for your transaction(s) to fail.

Important Information

  1. If you lose your KMS password, you will lose access to the Mnemonics and PrivateKeys stored in wallet.dat
  2. If wallet.dat is lost or becomes irrecoverable, you will lose access to your Mnemonics and PrivateKeys.
  3. The responsibility for keeping the file wallet.datsecure and accessible rests solely with you, the User.

❗️

Warning

Contacting Tatum Staff over issues to recover the password or wallet.datwon't provide a positive outcome. Tatum cannot help you.