Overview
Hardware security modules ensure that the private keys of the validator are not compromised even if a machine is hacked. We are highly encouraging all validators on Basechain to have one for starters. In the future, we may require the use of an HSM to participate as a validator.
Supported Devices
Right now, we will only support devices that can do EDDSA encryption with the ED25519 algorithm. Currently, we support the Yubico HSM2, an economically cheap device at around $500. It supports a wide array of encryption algorithms, including those used for bitcoin/ethereum signing. Also, we'll soon support other PKCS11 enabled devices that can do EDDSA encryption.
Configuring an HSM
In loom.yml you need to add the following section:
HsmConfig:
HsmEnabled: true
HsmDevType: yubihsm
HsmConnUrl: "localhost:12345"
HsmAuthPassword: "password"
HsmAuthKeyId: 1
HsmSignKeyID: 0
Config options
- HsmEnabled
Must be set to true to enable signing with the HSM device. If set to false, the other setting are ignored.
- HsmDevType:
Options - yubihsm, softhsm (coming soon), pkcs11 (coming soon)
- HsmConnUrl:
HTTP URL for the yubicohsm. By default it listens to http://localhost:12345
- HsmAuthPassword:
Password for the HSM device. (previously HsmDevLogCred)
- HsmAuthKeyId:
The ID number for authentication on the yubico hsm. This typically will be set to 1 as its the default AuthKeyId.
- SignKeyDomain:
With Yubico HSMs, you can allow multiple domains for security. Otherwise, it defaults to 1.
- HsmSignKeyID:
The ID number of the private key on the HSM. We suggest creating this in advance. If you set this value to zero, Loom SDK will attempt to create a new private key on the HSM itself.
Setting up the Yubico HSM
- Download yubico drivers, utils:
https://developers.yubico.com/YubiHSM2/Releases/
We require version 1.04 or greater.
- Install the yubico drivers:
dpkg -i *.deb
- Run the yubico connector:
yubihsm-connector -d
- Create your first private key:
yubihsm-shell
connect
keepalive 25
session open 1 password
generate asymmetric 0 100 label_eddsa_sign 1,2,3 export_under_wrap,asymmetric_sign_eddsa ed25519
session close 0
quit
You should now have a key at with ID 100. Please set HsmSignKeyId
to 100
in your loom.yml
.
Using HSM for signing transactions like Register Candidate
- Find out your PrivateKeyId and base64 public key:
cat chaindata/config/priv_validator.json
Get key_id
and pub_key/value
.
- Create an
hsm.json
file:
{
"YubiHsmConnURL":"localhost:12345",
"AuthKeyID":1,
"Password":"password",
"PrivKeyID":999999
}
Put your key id into the privKeyID
field.
- Run the following:
./loom call register_candidateV2 PUBLIC_KEY_IN_BASE64 10 --hsmconfig hsm.json -r http://dposv2.dappchains.com:80/query -w http://dposv2.dappchains.com:80/rpc --chain dposv2
Swap PUBLIC_KEY_IN_BASE64
for the one in the priv_validator
.