Overview
Hardware security modules ensure that private keys of the validator are not compromised even if a machine is hacked. We are highly encouraging all validators on Basechain to have one for starters. In future the chain may make it a requirement to have one to participate as a validator
Supported Devices
Right now we will only support devices that can do EDDSA encryption with the ED25519 algorithm. Currently we support the Yubico HSM2, an economically cheap device at around $500 that supports a wide array of encryption algorithms including those used for bitcoin/ethereum signing. Also we'll soon support other PKCS11 enabled devices that can do EDDSA encryption.
Configuring an HSM
In loom.yml you need to add the following section
HsmConfig:
HsmEnabled: true
HsmDevType: yubihsm
HsmConnUrl: "localhost:12345"
HsmAuthPassword: "password"
HsmAuthKeyId: 1
HsmSignKeyID: 0
Config options
- HsmEnabled
Must be set to true to enable signing with the HSM device, if set to false the other setting are ignored.
- HsmDevType:
Options - yubihsm, softhsm (coming soon), pkcs11 (coming soon)
- HsmConnUrl:
Http url for the yubicohsm, by default it listens to http://localhost:12345
- HsmAuthPassword:
Password for the HSM device. (previously HsmDevLogCred)
- HsmAuthKeyId:
ID number for authentication on the yubico hsm. This typically will be set to 1 as its the default AuthKeyId
- SignKeyDomain:
Yubico HSMs allow multiple domains for security, you can specify, otherwise it defaults to 1
- HsmSignKeyID:
ID number of the private key on the HSM, we suggest to create this in advance. If you set this value to zero, Loom SDK will attempt to create a new private key on the HSM itself.
Setting up the Yubico HSM
- Download yubico drivers, utils
https://developers.yubico.com/YubiHSM2/Releases/ We require version 1.04 or greater.
- Install the yubico drivers
dpkg -i *.deb
- Run the yubico connector
yubihsm-connector -d
- Create your first private key
yubihsm-shell
connect
keepalive 25
session open 1 password
generate asymmetric 0 100 label_eddsa_sign 1,2,3 export_under_wrap,asymmetric_sign_eddsa ed25519
session close 0
quit
You should now have a key at with ID 100. Please set HsmSignKeyId to 100 in your loom.yml
Using HSM for signing transactions like Register Canidate
- Find out your PrivateKeyId and base64 public key
cat chaindata/config/priv_validator.json
get key_id and pub_key/value
- Create hsm.json
hsm.json
{
"YubiHsmConnURL":"localhost:12345",
"AuthKeyID":1,
"Password":"password",
"PrivKeyID":999999
}
put your key id into the privKeyID field
- ./loom call register_candidateV2 PUBLIC_KEY_IN_BASE64 10 --hsmconfig hsm.json -r http://dposv2.dappchains.com:80/query -w http://dposv2.dappchains.com:80/rpc --chain dposv2
swap PUBLIC_KEY_IN_BASE64 for the one in the priv_validator