Cryptographic keys are an essential component of any security system. They handle everything, including user authentication and data encryption, and decryption. Any compromised cryptographic key might bring down an organization’s overall security system, providing the attacker has access to other sources of confidential information or the ability to decrypt it. Fortunately, careful handling of keys and the parts that go with them can guarantee the security of sensitive data.
Cryptographic keys are a large part of blockchain development and security because they are what allow transactions to be securely processed and stored on the blockchain. In order for a transaction to be valid, it must be signed with a digital signature that corresponds to the address of the sender. The digital signature is generated using a cryptographic key pair, which consists of a private key and a public key. The private key is kept secret by the owner and is used to sign transactions, while the public key is shared with everyone and is used to verify the digital signature.
What is a Key Management System?
A systematic process for creating, transmitting, and managing cryptographic keys for hardware and software is known as a Key Management System (KMS). A KMS should aim to protect the cryptographic keys used in an organization from disclosure and unauthorized use. In order to do this, a KMS must provide secure storage for keys, as well as a mechanism for key distribution that is both secure and efficient.
A robust key management system should be tamper-resistant, meaning that it should be impossible for an attacker to modify or delete keys without detection. It should also be highly available so that even if one component of the system is down, the others can continue to function. Finally, a good key management system should be scalable, so that it can easily handle the increasing number of keys and transactions as the blockchain grows.
There are a few different approaches to key management for the blockchain, each with its own advantages and disadvantages. One popular approach is to use a hardware security module (HSM) to generate and store keys. HSMs are purpose-built devices that are designed to be tamper-resistant and highly available. They can also be quite expensive, however, and can be difficult to scale.
Another approach is to use a software-based key management system. This has the advantage of being less expensive and more flexible than using an HSM. In this article, let’s look at one such option by Tatum.
What is Tatum KMS?
Tatum’s Key Management System, or Tatum KMS, is a software-based open-source key management system that is designed to be easy to use, scalable, and tamper-resistant. It uses a hierarchical deterministic (HD) approach to key generation, meaning that each key is generated from a seed phrase. This makes it possible to generate an unlimited number of keys from a single seed, making it very scalable.
Tatum KMS also uses a multi-signature scheme, meaning that each key is split into multiple parts and each part must be combined with another in order to sign a transaction. This makes it much more difficult for an attacker to steal a key, as they would need to have access to all parts of the key.
The software is designed to be easy to install and use, with a simple web-based user interface. It can be deployed on-premises or in the cloud, and can be integrated with other Tatum products such as the Tatum API.
Using Tatum KMS
Generate a wallet
To build a wallet that is managed by the KMS, you can use the generatemanagedwallet command in CLI mode.
tatum-kms --path=wallet.dat --testnet generatemanagedwallet BTC
Enter password to access wallet storage:*****ta
You will be asked for a password to encrypt your data when you first use KMS. The first time you type this password, it is formed, and you should keep it safe.
The response contains your wallet mnemonic’s signature ID as the first parameter.
Create a private key
You will create a private key for your wallet locally. To authorise transfers of money from blockchain addresses, private keys are used. To create a private key, use the getprivatekey command.
A private key is like the key to your front door and is used to facilitate the transfer of cryptocurrencies out of a wallet and prove ownership over any funds held inside.
tatum-kms --path=wallet.dat --testnet getprivatekey xxx-59be-4792-81c5-yyy 0
The required parameters are:
- Your wallet mnemonic’s signature ID
- The response is the private key of the derivation index that you have specified.
Generate an address
For the newly generated private key, you will build an address. You can send money from the address using the private key after receiving money to it.
tatum-kms --path=wallet.dat --testnet getaddress xxx-59be-4792-81c5-yyy 0
The parameters required are:
- Your wallet mnemonic’s signature ID
- The derivation index of the address
The response will contain the address you have just generated.
Store the private key to your wallet
The storemanagedprivatekeycommand will now be used to store the newly created private key in the wallet.
tatum-kms --path=wallet.dat --testnet storemanagedprivatekey BTC
Enter the private key and the password you made when prompted.
The response will contain the signature ID of the private key, which you can then use to sign transactions.
Export the wallet
The wallet can now be reviewed and exported. To export, enter the following:
tatum-kms --path=wallet.dat --testnet export
The response will give you details about your wallet.
Initiate the transaction
Now, you can send bitcoin to any other address from your address. Send Tatum a request for a bitcoin transaction API to accomplish this. To store the private key to your wallet, provide a signatureId field rather than a privateKey.
curl --location --request POST 'https://api-eu1.tatum.io/v3/bitcoin/transaction' \
--header 'x-api-key: your-tesnet-api-key-from-tatum' \
--header 'Content-Type: application/json' \
--data-raw '{"fromAddress": [{"address": "AAAA3JPvMuwgpKovMTjBBB", -> FROM STEP 3
"signatureId": "QQQ-4b41-4ec9-b66c-WWW" -> FROM STEP 4}],
"to": [{"address": "testnet-bitcoin-address",
"value": 0.00001 -> AMOUNT OF BTC TO SEND},
{"address": "AAAA3JPvMuwgpKovMTjBBB",
"value": 0.00007 -> AMOUNT OF BTC TO CHANGE
}]}'
There was no requirement for a private key, mnemonic, or any other sensitive information. A new pending transaction is now recognised by KMS, which then signs it locally and uploads it to the blockchain. The transaction must also be marked as processed by KMS in order to prevent further transmission to the blockchain.
Get transaction details
You can now use the Get transaction details endpoint to obtain the specifics of the transaction you just completed by entering the KMS transaction ID that was returned in the id field of the response to the prior request (61fe7c68cf2fbc595cbb89dd in the example below).
curl --request GET
--url https://api-eu1.tatum.io/v3/kms/61fe7c68cf2fbc595cbb89dd
--header 'x-api-key: your-testnet-api-key-from-tatum'Example usage of the API with Tatum KMS
The response will contain the details of your transaction.
Conclusion
In the blockchain world, your private keys are your most priceless belongings. Private keys are what store information about your cryptocurrency holdings and spending limits. You won’t be able to get your currencies back if you misplace your private keys or they are stolen. The safe administration of your private keys is crucial when working with cryptocurrencies and blockchains.
Tatum’s KMS is a powerful tool that helps you securely manage your private keys. With Tatum KMS, you can create new wallets, generate addresses, and sign transactions without ever having to expose your private keys.