Doc: add signer
This commit is contained in:
Marco Stronati
parent
59fc73d886
commit
35c4379a1e
@ -136,6 +136,81 @@ hardware wallet.
|
|||||||
--peer <public-node-ip>
|
--peer <public-node-ip>
|
||||||
|
|
||||||
|
|
||||||
|
.. _signer:
|
||||||
|
|
||||||
|
Signer
|
||||||
|
------
|
||||||
|
|
||||||
|
Another solution to decouple the node from the signing process is to
|
||||||
|
use the *remote signer*.
|
||||||
|
Among the signing scheme supported by the client, that we can list
|
||||||
|
with ``tezos-client list signing schemes``, there are ``unix``,
|
||||||
|
``tcp``, ``http`` and ``https``.
|
||||||
|
These schemes send signing requests over their respective
|
||||||
|
communication channel towards the ``tezos-signer``, which can run on a
|
||||||
|
different machine that stores the secret key.
|
||||||
|
|
||||||
|
In our home server we can generate a new key pair (or import one from a
|
||||||
|
:ref:`Ledger<ledger>`) and launch a signer that signs operations using these
|
||||||
|
keys.
|
||||||
|
The new keys are store in ``$HOME/.tezos-signer`` in the same format
|
||||||
|
as ``tezos-client``.
|
||||||
|
On our internet facing vps we can then import a key with the address
|
||||||
|
of the signer.
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
home~$ tezos-signer gen keys alice
|
||||||
|
home~$ cat ~/.tezos-signer/public_key_hashs
|
||||||
|
[ { "name": "alice", "value": "tz1abc..." } ]
|
||||||
|
home~$ tezos-signer launch socket signer -a home-ip
|
||||||
|
|
||||||
|
vps~$ tezos-client import secret key alice tcp://home-ip:7732/tz1abc...
|
||||||
|
|
||||||
|
Every time the client on *vps* needs to sing an operation for
|
||||||
|
*alice*, it sends a signature request to the remote signer on
|
||||||
|
*home*.
|
||||||
|
Note that this setup alone is not secure, **the signer accepts
|
||||||
|
requests from anybody and happily signs any transaction!**
|
||||||
|
|
||||||
|
Secure the connection
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Improving the security of the communication channel can be done at the
|
||||||
|
system level, setting up a tunnel with ``ssh`` or ``wireguard``
|
||||||
|
between *home* and *vps*, otherwise the signer already provides an
|
||||||
|
additional protection.
|
||||||
|
|
||||||
|
With the option ``--require-authentication`` the signer requires the
|
||||||
|
client to authenticate before signing any operation.
|
||||||
|
First we create a new key on the *vps* and then import it as an
|
||||||
|
authorized key on *home* where it is stored under
|
||||||
|
``.tezos-signer/authorized_keys`` (similarly to ``ssh``).
|
||||||
|
Note that this key is only used to authenticate the client to the
|
||||||
|
signer and it is not used as a Tezos account.
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
vps~$ tezos-client gen keys vps
|
||||||
|
vps~$ cat ~/.tezos-client/public_keys
|
||||||
|
[ { "name": "vps",
|
||||||
|
"value":
|
||||||
|
"unencrypted:edpk123456789" } ]
|
||||||
|
|
||||||
|
home~$ tezos-signer add authorized key edpk123456789 --name vps
|
||||||
|
home~$ tezos-signer --require-authentication launch socket signer -a home-ip
|
||||||
|
|
||||||
|
All request are now signed with the *vps* key thus you are
|
||||||
|
guaranteed authenticity and integrity.
|
||||||
|
This set up **does not guarantee confidentiality**, an evesdropper can
|
||||||
|
see the transactions that you sign but on a public blockchain this is
|
||||||
|
less of a concern.
|
||||||
|
You can still use the ``https`` scheme or the tunnel to encrypt you
|
||||||
|
traffic.
|
||||||
|
|
||||||
|
|
||||||
|
.. _sandboxed-mode:
|
||||||
|
|
||||||
Use sandboxed mode
|
Use sandboxed mode
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user