Hardware Security Modules - HSM

Overview

Hardware security modules ensure that private keys of the validator are not compromised even if a machine is hacked. We are highly encouraging all validators on Basechain to have one for starters. In future the chain may make it a requirement to have one to participate as a validator

Supported Devices

Right now we will only support devices that can do EDDSA encryption with the ED25519 algorithm. Currently we support the Yubico HSM2, an economically cheap device at around $500 that supports a wide array of encryption algorithms including those used for bitcoin/ethereum signing. Also we'll soon support other PKCS11 enabled devices that can do EDDSA encryption.

Configuring an HSM

In loom.yml you need to add the following section

HsmConfig:
  HsmEnabled: true
  HsmDevType: yubihsm
  HsmConnUrl: "localhost:12345"
  HsmAuthPassword: "password"
  HsmAuthKeyId: 1
  HsmSignKeyID: 0

Config options

HsmEnabled

Must be set to true to enable signing with the HSM device, if set to false the other setting are ignored.

HsmDevType:

Options - yubihsm, softhsm (coming soon), pkcs11 (coming soon)

HsmConnUrl:

Http url for the yubicohsm, by default it listens to http://localhost:12345

HsmAuthPassword:

Password for the HSM device. (previously HsmDevLogCred)

HsmAuthKeyId:

ID number for authentication on the yubico hsm. This typically will be set to 1 as its the default AuthKeyId

SignKeyDomain:

Yubico HSMs allow multiple domains for security, you can specify, otherwise it defaults to 1

HsmSignKeyID:

ID number of the private key on the HSM, we suggest to create this in advance. If you set this value to zero, Loom SDK will attempt to create a new private key on the HSM itself.

Setting up the Yubico HSM

Download yubico drivers, utils

https://developers.yubico.com/YubiHSM2/Releases/ We require version 1.04 or greater.

Install the yubico drivers

dpkg -i *.deb

Run the yubico connector

yubihsm-connector -d

Create your first private key

yubihsm-shell
connect
keepalive 25
session open 1 password
generate asymmetric 0 100 label_eddsa_sign 1,2,3 export_under_wrap,asymmetric_sign_eddsa ed25519
session close 0
quit

You should now have a key at with ID 100. Please set HsmSignKeyId to 100 in your loom.yml

Using HSM for signing transactions like Register Canidate

Find out your PrivateKeyId and base64 public key

cat chaindata/config/priv_validator.json

get key_id and pub_key/value

Create hsm.json

hsm.json
{
    "YubiHsmConnURL":"localhost:12345",
    "AuthKeyID":1,
    "Password":"password",
    "PrivKeyID":999999 
}

put your key id into the privKeyID field

./loom call register_candidateV2 PUBLIC_KEY_IN_BASE64 10 --hsmconfig hsm.json -r http://dposv2.dappchains.com:80/query -w http://dposv2.dappchains.com:80/rpc --chain dposv2

swap PUBLIC_KEY_IN_BASE64 for the one in the priv_validator

JSON RPC方法 DApp Metrics Website Info

# Overview

# Supported Devices

# Configuring an HSM

# Config options