TSS Node deployment
TSS Node package
The TSS Node package comes in two versions tailored to different deployment environments:
-
SGX security enhanced version: Designed for servers equipped with SGX capabilities. You can download this TSS Node package here and the corresponding SHA256 file here.
-
General version: Compatible with all servers, including those from cloud providers, custom-built servers, general servers, and Apple MacBooks. While this version can also run on SGX-ready servers, SGX-specific features will not be enabled. You can download this TSS Node package here and the corresponding SHA256 file here.
The subsequent example employs the general version of the TSS Node package.
To verify the validity of the TSS Node package, please check the SHA256 (256-bit) checksums.
The SHA256 (256-bit) checksums must match the corresponding file hash value.
After verification, please execute the following command to unzip the TSS Node package.
Upon extracting the TSS Node package, the following directory will be shown.
Unless stated otherwise, please execute all subsequent commands in this user guide under the root directory of the unzipped TSS Node package. For example, navigate to the cobo-tss-node-generic path before running any further commands.
TSS Node command lines
The TSS Node command lines remain consistent across all operating environments. However, the execution of command lines may vary slightly. For both SGX-ready servers and other types of servers, sudo access is essential for deploying and running TSS Node. In other words, ensure that sudo commands are inserted.
For the Apple MacBook, no sudo access is required.
Unless explicitly stated otherwise, all subsequent commands in this user guide will use the general server as an example.
TSS Node container images
Please execute the following command to verify the installation of necessary dependencies and drivers. If this marks the initial configuration of the TSS Node, the command will also automatically fetch the latest container images.
The output example is as follows.
As of now, all dependencies are considered successfully configured, and the TSS Node is ready for initialization.
TSS Node package description
Default config file: configs/cobo-tss-node-config.yaml.template.
The TSS Node is configured to connect to the development environment by default, requiring no additional config file for it to run. However, if you wish to connect to the production environment, manual modification of the config file is necessary.
To initiate this, create a duplicate of cobo-tss-node-config.yaml.template, renaming it as cobo-tss-node-config.yaml. Paste the new file into the configs directory. For instructions, please refer to the TSS Node configuration method. Remember to restart the TSS Node package once the config file is modified.
Startup script: tss-node.sh
The TSS Node package incorporates a startup script that serves the following purposes:
- Checks whether the required software and drivers are successfully installed.
- Pulls container images of the TSS Node.
- Manages the running status of containers.
The startup script will pass in most commands and parameters to the cobo-tss-node program within the containers.
TSS Node initialization
Please execute the following command.
The output example is as follows.
Execution Workflow:
- During TSS Node initialization, the system will verify the successful installation of Docker Engine and proceed to build the container image. You will be prompted to approve the auto installation of Docker Engine.
- If an SGX-ready server is utilized, the system will additionally verify the successful installation of the SGX driver. You will be prompted to approve the auto installation of the Intel DCAP 1.41 driver.
- Set a password to encrypt the data generated during TSS Node initialization. In the event of lost access or the need to modify the password, please refer to Recover root extended private keys. It is recommended to set a complex password with a length between 16-32 characters, utilizing a password manager (e.g., 1Password), and securely store the password on a trusted device.
- The database file will be automatically generated with the default path being db/secrets.db.
- The Node ID will be automatically generated (e.g., cobo73VA6C6WvofPg8tWYmqvdUF1cPYhd7EmGUxTexz5HCzYe) and functions as the unique identifier of the TSS Node.
- The callback key will be automatically generated and printed. For more information, please refer to TSS Node callback.
TSS Node startup
Please execute the following command.
The output example is as follows.
If you have not created a holder group with this TSS Node, the registration status will be returned as failed. You can proceed with creating a holder group through Cobo Portal. Only users with vault admin rights are authorized to create a holder group.
Upon successful creation of the holder group, the registration status will be updated to the following:
You can press Ctrl+C to exit, and the TSS Node will continue to run in the background. For more information on checking the running status of the TSS Node, please refer to Appendix.
MPC root extended public keys
Ensure that the root extended public key displayed on Cobo Portal matches the one shown in the TSS Node log. This key can be used to generate all wallet addresses under this MPC Organization-Controlled Wallet using BIP-32.
Private key share management
The successfully generated private key shares will be encrypted and stored locally in the database file of the TSS Node package. The default path is db/secrets.db. It is highly recommended to create backups of the database file and the password used for encryption during the initialization of the TSS Node. The backup files should be stored on separate devices for enhanced security. For more information, please refer to Back up holder groups.