# TMKMS

<figure><img src="https://2850165036-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaJyfwvlEgVMyUPbcpkk6%2Fuploads%2FX6djzg8Uwsm6Oujxo71P%2FTmkms.png?alt=media&#x26;token=9691c265-78e5-4498-b2d6-d0a481e067fe" alt=""><figcaption></figcaption></figure>

#### The Tendermint Key Management System (or TMKMS) should be used by any validator currently or intending to be in the active validator set. This application mitigates the risk of double-signing and provides high-availability to validator keys while keeping these keys on a separate physical host. While TMKMS can be used on the same machine as the validator, it is recommended to be on a separate host.

[DOCS](https://docs.osmosis.zone/osmosis-core/keys/tmkms/)

[GitHub](https://github.com/iqlusioninc/tmkms/tree/main)

### Let's look at an example - `Canto`

### Create new user (from root)

```bash
adduser tmkms
usermod -aG sudo tmkms
su tmkms
cd $HOME
```

### Install RUST

```bash
curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
#Install GCC
sudo apt update & sudo apt install build-essential curl jq  --yes
```

### Compile and sort TMKMS binaries

```bash
cd $HOME
cargo install tmkms --features=softsign
sudo mv $HOME/.cargo/bin/tmkms /usr/local/bin/
```

### Create and Init TKMS working directory

```bash
mkdir -p $HOME/tmkms/canto
tmkms init $HOME/tmkms/canto
```

### Import Private key

* Upload your validator `priv_validator_key.json` to directory `/home/tmkms/priv_validator_key.json`

#### Then check availablity

```bash
cat $HOME/priv_validator_key.json
```

### If right output is appeared, follow next step below

```python
tmkms softsign import $HOME/priv_validator_key.json $HOME/tmkms/canto/secrets/canto-consensus.key
```

#### Now we can erase copy of original file

```bash
sudo shred -uvz $HOME/priv_validator_key.json
```

* Swap `tmkms.toml` to the one below. The only `"addr ="` field edit need to be done, replace it with your validator node `IP + port(26658 default)`

```python
rm -rf ~/tmkms/canto/tmkms.toml
tee ~/tmkms/canto/tmkms.toml << EOF
#Tendermint KMS configuration file
[[chain]]
id = "canto_7700-1"
key_format = { type = "bech32", account_key_prefix = "cantopub", consensus_key_prefix = "cantovalcons" }
state_file = "$HOME/tmkms/canto/state/canto_7700-1_priv_validator_state.json"
sign_extensions = true
#Software-based Signer Configuration
[[providers.softsign]]
chain_ids = ["canto_7700-1"]
key_type = "consensus"
path = "$HOME/tmkms/canto/secrets/canto-consensus.key"
#Validator Configuration
[[validator]]
chain_id = "canto_7700-1"
addr = "tcp://60.19.92.21:10218" #Set here IP and port of the canto node U will be using for signing blocks (port can be custom)   
secret_key = "$HOME/tmkms/canto/secrets/kms-identity.key"
protocol_version = "v0.34"
reconnect = true
EOF
```

#### Create service file and run TMKMS

```bash
sudo tee /etc/systemd/system/tmkmsd-canto.service << EOF
[Unit]
Description=TMKMS-canto
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=10
User=$USER
ExecStart=$(which tmkms) start -c $HOME/tmkms/canto/tmkms.toml
LimitNOFILE=1024
[Install]
WantedBy=multi-user.target
EOF
```

### Start

```bash
sudo systemctl daemon-reload
sudo systemctl enable tmkmsd-canto.service
sudo systemctl restart tmkmsd-canto.service
sudo systemctl status tmkmsd-canto.service
sudo journalctl -fu tmkmsd-canto.service -o cat
```

* \#ERROR `tmkms::client: [canto_7700-1@tcp://91.19.90.20:21218] I/O error: Connection refused (os error 111)`

### Its NORMAL

![error](https://github.com/111STAVR111/TMKMS/assets/77785195/1c39f6de-0fa7-48a5-b2c8-af7da0397935)

* LAST STEPS. Activate signing from `canto node` side
* Find field `priv_validator_laddr = ""` at dir `$HOME/.cantod/config/config.toml` and edit to your Validator `IP + port`
* Example : `priv_validator_laddr = "tcp://0.0.0.0:26658"` (Line 68 +-)

<details>

<summary>Make sure your firewall open only for KMS server IP to allow connect to port 26658 (or any custom port u set)</summary>

```python
apt install ufw
ufw allow 22
ufw allow 80
ufw allow 443
ufw deny 26658
ufw allow from <ip tmkms server>
ufw enable
ufw status
```

</details>

#### Restarting the Validator Node

```bash
sudo systemctl restart cantod && sudo journalctl -fu cantod -o cat
```

### Make sure that the logs are good

![Good](https://github.com/111STAVR111/TMKMS/assets/77785195/d0fe10a7-8db0-473f-926e-188aa9ef7137)

* delete `priv_validator_key.json` from the validator node and restart again. Everything should work

### Helpful commands

`su tmkms && cd`

### Logs

`sudo journalctl -fu tmkmsd-canto -o cat`

#### Restart

`sudo systemctl restart tmkmsd-canto && sudo journalctl -fu tmkmsd-canto -o cat`