Links

Use KMS to Store Private Keys and Sign Transactions on Bitcoin

Generate wallets, private keys, blockchain addresses, and sign transactions locally
In this guide, you will learn how to generate wallets, private keys, blockchain addresses, and sign transactions locally using Tatum Key Management System (KMS).
This guide shows how to start using KMS on Bitcoin and similar blockchains.
KMS works on any supported blockchain - and the process is even easier on some.

Process overview and prerequisites

Before you start, we recommend that your review the following sections:
You will work on the Bitcoin testnet.
With KMS installed, you will go through the following steps:
  1. 1.
    Generate a managed wallet.
  2. 2.
    Create a private key.
  3. 3.
    Generate an address.
  4. 4.
    Store the private key to your wallet.
  5. 5.
    Send some test BTC to your new address.
  6. 6.
    Enable daemon mode.
  7. 7.
    Initiate a transaction and let KMS sign it.
  8. 8.
    Get transaction details.

Step 1 - Generate a managed wallet

To generate a wallet that is managed by the KMS, use the generatemanagedwallet command in CLI mode.
Request
1
tatum-kms --path=wallet.dat --testnet generatemanagedwallet BTC
2
​
3
Enter password to access wallet storage:*****
When you first use KMS, you will be prompted to enter a password to encrypt your data. This password is created the first time you enter it, and you should store it in a safe place.
The wallet storage is encrypted with an AEC cipher and is stored on your local server. The password you provide is used to encrypt the mnemonics and private keys inside. If you lose your password, you will lose access to your mnemonics.
Response
The response contains your wallet mnemonic's signature ID as the first parameter:
1
{
2
"xxx-59be-4792-81c5-yyy": {
3
"mnemonic": "urge pulp usage sister evidence arrest palm math please chief egg abuse",
4
"xpub": "tpubBCDEF"
5
}
6
}

Step 2 - Create a private key

In this step, you will generate a private key for your wallet locally.
Private keys are used to authorize transfers of funds from blockchain addresses. Use the getprivatekey command to generate a private key:
Request
1
tatum-kms --path=wallet.dat --testnet getprivatekey xxx-59be-4792–81c5-yyy 0
The required parameters are:
  • Your wallet mnemonic's signature ID Signature ID is the first parameter in the Response from Step 1 - Generate a managed wallet.
  • The derivation index of the private key you are generating A derivation index can be any value but it must be unique to the wallet you are generating.
    You can start at “0” (as in the example above) and work chronologically.
Response
The response is the private key of the derivation index that you have specified:
1
{
2
"privateKey": "XXXNAV3tX3vWPG4uThixuqdYYY"
3
}

Step 3 - Generate an address

In this step, you will create an address for the private key that you just generated. You can receive funds to the address and use the private key to send them from the address.
Use the getaddress **** command to generate an address for the same derivation index (0) that you specified in Step 2 - Create a private key:
Request
1
tatum-kms --path=wallet.dat --testnet getaddress xxx-59be-4792–81c5-yyy 0
The parameters required are:
  • Your wallet mnemonic's signature ID
  • The derivation index of the address you are generating — the same derivation index that you specified in Step 2 - Create a private key.
The response will contain the address you have just generated:
1
{
2
"address": "AAAA3JPvMuwgpKovMTjBBB"
3
}

Step 4 - Store the private key to your wallet

You will now store the private key that you have just generated to the wallet using the storemanagedprivatekey command:
Request
1
tatum-kms --path=wallet.dat --testnet storemanagedprivatekey BTC
When prompted, enter the private key and the password that you created earlier in this guide:
Enter password + private key
1
Enter private key to store:XXXNAV3tX3vWPG4uThixuqdYYY
2
​
3
Enter password to access wallet store:******
Response
The response will contain the signature ID of the private key, which you can then use to sign transactions.
1
{
2
"signatureId": "QQQ-4b41-4ec9-b66c-WWW"
3
}
You can now export the wallet and review it. Enter the following to export:
Request
1
tatum-kms --path=wallet.dat --testnet export
When prompted, enter your password.
Response
The response will give you details about your wallet:
1
{
2
"QQQ-4b41-4ec9-b66c-WWW": {
3
"privateKey": "XXXNAV3tX3vWPG4uThixuqdYYY",
4
"chain": "BTC",
5
"testnet": true
6
},
7
"xxx-59be-4792-81c5-yyy": {
8
"mnemonic": "urge pulp usage sister evidence arrest palm math please chief egg abuse",
9
"xpub": "tpubBCDEF",
10
"chain": "BTC",
11
"testnet": true
12
}
13
}

Step 5 - Send test BTC to your new address

Use a Bitcoin testnet faucet to send some test BTC to your address. You can use any faucet (mobile example).
Send the test BTC to the Bitcoin address that you generated in Step 3 - Generate an address (AAAA3JPvMuwgpKovMTjBBB).

Step 6 - Enable daemon mode

Daemon mode is essentially KMS running in the background and listening for pending transactions to sign and broadcast them.
  • Transactions are identified by your API key.
  • You can filter transactions by blockchain.
To enable daemon mode, enter the following code on your local server:
1
tatum-kms daemon --path=wallet.dat --testnet --chain=BTC --api-key=your-testnet-api-key --period=10
You must enter the password to unlock the wallet storage. The password is required whenever you start the daemon or restart the daemon after it stopped.
By default, Tatum KMS checks for the pending transactions every 5 seconds using this API call. One API call consumes 1 credit from your monthly credit allowance.
You can change the frequency of the check using the period parameter.

Step 7 - Initiate a transaction and let KMS sign it

You can now send bitcoin from your address to any other address.
To do so, send a bitcoin transaction API request to Tatum.
Request (cURL)
Instead of a privateKey, enter a signatureId field that contains your signature ID from Step 4 - Store the private key to your wallet:
1
curl --location --request POST 'https://api.tatum.io/v3/bitcoin/transaction' \
2
--header 'x-api-key: your-tesnet-api-key-from-tatum' \
3
--header 'Content-Type: application/json' \
4
--data-raw '{
5
"fromAddress": [
6
{
7
"address": "AAAA3JPvMuwgpKovMTjBBB", -> FROM STEP 3
8
"signatureId": "QQQ-4b41-4ec9-b66c-WWW" -> FROM STEP 4
9
}
10
],
11
"to": [
12
{
13
"address": "testnet-bitcoin-address",
14
"value": 0.00001 -> AMOUNT OF BTC TO SEND
15
},
16
{
17
"address": "AAAA3JPvMuwgpKovMTjBBB",
18
"value": 0.00007 -> AMOUNT OF BTC TO CHANGE
19
}
20
]
21
}'
As you can see, there was no private key or mnemonic anywhere in the request, nor was any other sensitive information required.
KMS now detects a new pending transaction, signs it locally and sends the transaction to the blockchain.
KMS must also mark the transaction as processed so that it will not be sent to the blockchain again
Response
When KMS picks up the pending transaction, it will output something like the following sample:
1
Processing pending transaction - {
2
"withdrawalId": null,
3
"chain": "BTC",
4
"serializedTransaction": "{\"hash\":\"81e62bdfbfc7bcb66c2a2f17335d033fd98b84c1188a7bb379a2dce9f1cda989\",\"version\":2,\"inputs\":[{\"prevTxId\":\"121702fd7acd1b2cca6bd19658009140730ba26ca67cd222c00f952a111e11f4\",\"outputIndex\":0,\"sequenceNumber\":4294967295,\"script\":\"\",\"scriptString\":\"\",\"output\":{\"satoshis\":2000,\"script\":\"76a914c8e668ee829837a2355c1e234a41f53f86b8156c88ac\"}}],\"outputs\":[{\"satoshis\":1000,\"script\":\"001487c70889f0a1d2f632d216a01472dde71f062aa7\"}],\"nLockTime\":0}",
5
"hashes": [
6
"b8eb99cd-ba04-4031-a65f-11d6420ebdd1"
7
],
8
"index": null,
9
"withdrawalResponses": null,
10
"id": "61fe7c68cf2fbc595cbb89dd"
11
}.

Step 8 - Get transaction details

Using the KMS transaction ID from the id field of the response to the previous request (61fe7c68cf2fbc595cbb89dd in the example above), you can now use the Get transaction details endpoint to acquire the details of the transaction you have just performed.
Request
1
curl --request GET
2
--url https://api.tatum.io/v3/kms/61fe7c68cf2fbc595cbb89dd
3
--header 'x-api-key: your-testnet-api-key-from-tatum'
Response
The response will contain the details of your transaction:
1
{
2
"withdrawalId": null,
3
"chain": "BTC",
4
"serializedTransaction": "{\"hash\":\"81e62bdfbfc7bcb66c2a2f17335d033fd98b84c1188a7bb379a2dce9f1cda989\",\"version\":2,\"inputs\":[{\"prevTxId\":\"121702fd7acd1b2cca6bd19658009140730ba26ca67cd222c00f952a111e11f4\",\"outputIndex\":0,\"sequenceNumber\":4294967295,\"script\":\"\",\"scriptString\":\"\",\"output\":{\"satoshis\":2000,\"script\":\"76a914c8e668ee829837a2355c1e234a41f53f86b8156c88ac\"}}],\"outputs\":[{\"satoshis\":1000,\"script\":\"001487c70889f0a1d2f632d216a01472dde71f062aa7\"}],\"nLockTime\":0}",
5
"hashes": [
6
"b8eb99cd-ba04-4031-a65f-11d6420ebdd1"
7
],
8
"index": null,
9
"withdrawalResponses": null,
10
"txId": "f7572ef070d381612b7594940cc73ec008e796b37a73ff031f3855d2a23c9ade",
11
"id": "61fe7c68cf2fbc595cbb89dd"
The response contains a Bitcoin transaction ID in the txId field (f7572ef070d381612b7594940cc73ec008e796b37a73ff031f3855d2a23c9ade in the example above), which you can use to view the blockchain transaction in any Bitcoin blockchain explorer.