# Tendermint KMS

### Using Tendermint KMS for BitNet Validator Security

**Tendermint KMS (Key Management System)** allows BitNet validators to **separate key management** from their core nodes. It improves validator security by protecting keys against compromise, reducing the risk of double-signing, and supporting **hardware security modules (HSMs)** such as **Ledger** or **YubiHSM**.

***

#### Benefits of Tendermint KMS

* Hardware or software-based **double-signing protection**
* Support for secure devices (e.g., Ledger, YubiHSM 2)
* Defense-in-depth through **physical separation** of the signing process
* Secure centralized key signing across multiple validators or BitNet zones

***

#### Prerequisites for Installing KMS

Install the following dependencies:

```bash
# Debian/Ubuntu
sudo apt install libusb-1.0-0-dev pkg-config build-essential

# RedHat/CentOS
sudo yum install libusb1-devel

# macOS
brew install libusb
```

Install **Rust**:

```bash
curl https://sh.rustup.rs -sSf | sh
```

***

#### Compiling Tendermint KMS from Source

Clone the repository and build the binary:

```bash
git clone https://github.com/iqlusioninc/tmkms && cd tmkms
cargo build --release --features=ledger
```

For YubiHSM support, replace `--features=ledger` with `--features=yubihsm`.

This creates the `tmkms` binary at:

```bash
./target/release/tmkms
```

***

#### KMS Configuration with Ledger Devices

Ledger requirements:

* Ledger Nano X or S
* Ledger Live installed
* Tendermint Validator App (Developer Mode)

Enable Developer Mode in Ledger Live and install the Tendermint App.

Create a config file:

```toml
# ~/.tmkms/tmkms.toml
[[validator]]
addr = "tcp://localhost:26658"
chain_id = "bitnet-mainnet"
reconnect = true

[[providers.ledger]]
chain_ids = ["bitnet-mainnet"]
```

Start the key manager:

```bash
tmkms keygen ~/.tmkms/secret_connection.key
tmkms start -c ~/.tmkms/tmkms.toml
```

{% hint style="info" %}
The validator key will appear in the logs (e.g. `bitnetvalconspub...`). Save this for the next step.
{% endhint %}

***

#### Connecting BitNet Node to KMS

Edit `config.toml` in your BitNet node to enable external key signing:

```toml
priv_validator_laddr = "tcp://127.0.0.1:26658"
```

Start your BitNet validator node:

```bash
bitnetd start
```

Once launched, the Ledger device will request confirmation before signing messages. If confirmed, the KMS will automatically handle signature requests securely.

***

#### Final Note on KMS Security

* These instructions serve as a **starter guide**. For production, validators must fully evaluate the security implications of KMS usage.
* The **"TEST"** message on the Ledger device screen is shown only in pre-release firmware. It should **not** appear once the Tendermint app is officially published.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bitnet-whitepaper.gitbook.io/developer-docs/security-essentials/tendermint-kms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.