README
¶
MPC Key Management with Lux KMS
This package provides secure key management for MPC nodes using Lux KMS, a secrets management platform.
Overview
The KMS integration allows MPC nodes to:
- Store MPC key shares securely in Lux KMS instead of local BadgerDB
- Retrieve key shares on demand with proper authentication
- Manage initiator keys and other sensitive data
- Maintain encrypted backups of non-sensitive data locally
Configuration
Add the following to your config.yaml:
kms:
# For local Lux KMS instance
site_url: "http://localhost:8080"
# For production Lux KMS
# site_url: "https://kms.lux.network"
# Required settings
project_id: "your-project-id"
environment: "prod"
secret_path: "/mpc"
# Authentication (choose one method)
# Method 1: Service Token
# Set KMS_TOKEN environment variable
# Method 2: Universal Auth (recommended)
client_id: "your-client-id"
client_secret: "your-client-secret"
Setup
-
Local Lux KMS (if using):
cd ~/work/lux/kms docker-compose -f docker-compose.dev.yml up -d -
Create a Project in Lux KMS:
- Log in to Lux KMS dashboard
- Create a new project for MPC
- Note the project ID
-
Set up Authentication:
Option A: Service Token (Quick Start)
# In Lux KMS dashboard, create a service token export KMS_TOKEN="st.your-service-token" export KMS_PROJECT_ID="your-project-id"Option B: Universal Auth (Production)
- Create a machine identity in Lux KMS
- Get the client ID and client secret
- Add to config.yaml
Usage
The integration automatically activates when Lux KMS is configured. MPC nodes will:
- Store new key shares in Lux KMS
- Keep only references in local BadgerDB
- Retrieve keys from Lux KMS when needed
- Fall back to local storage if Lux KMS is unavailable
Testing
Run the test script to verify your setup:
cd /Users/z/work/lux/mpc/scripts
go run test-kms.go
Security Notes
- Never commit Lux KMS credentials to git
- Use environment variables or secure config management
- Enable audit logging in Lux KMS for compliance
- Regularly rotate service tokens
- Use Universal Auth with proper RBAC in production
Architecture
┌─────────────┐ ┌──────────────┐ ┌────────────┐
│ MPC Node │────▶│ KMS Wrapper │────▶│ Lux KMS │
│ │ │ │ │ │
│ BadgerDB │◀────│ (References)│ │ (Secrets) │
└─────────────┘ └──────────────┘ └────────────┘
- MPC nodes use the KMS-enabled kvstore wrapper
- Sensitive keys are stored in Lux KMS
- Local BadgerDB stores only references
- Non-sensitive data remains in BadgerDB
Troubleshooting
- Connection Failed: Check Lux KMS URL and network connectivity
- Auth Failed: Verify credentials and project access
- Key Not Found: Ensure correct environment and secret path
- Fallback Active: Check logs for Lux KMS errors
Benefits
- Central Key Management: All MPC keys in one secure location
- Access Control: Fine-grained permissions per node
- Audit Trail: Complete history of key access
- Key Rotation: Simplified key rotation procedures
- Compliance: Meet security standards with proper KMS
Documentation
¶
Index ¶
- func DeriveKeyFromPassword(password string, salt []byte) ([]byte, error)
- func HashKey(key []byte) string
- type EncryptedKey
- type KMS
- type KMSClient
- func (c *KMSClient) BatchRetrieve(ctx context.Context, names []string) (map[string][]byte, error)
- func (c *KMSClient) BatchStore(ctx context.Context, secrets map[string][]byte) error
- func (c *KMSClient) Close() error
- func (c *KMSClient) DeleteKey(key string) error
- func (c *KMSClient) DeletePresignature(ctx context.Context, walletID, sigID string) error
- func (c *KMSClient) Healthcheck(ctx context.Context) error
- func (c *KMSClient) ListKeys() ([]string, error)
- func (c *KMSClient) ListSecrets(ctx context.Context, path string) ([]SecretMetadata, error)
- func (c *KMSClient) RetrieveConfig(ctx context.Context, nodeID string, config interface{}) error
- func (c *KMSClient) RetrieveKeyShare(ctx context.Context, walletID string) ([]byte, error)
- func (c *KMSClient) RetrieveMPCKeyShare(nodeID, walletID, keyType string) ([]byte, error)
- func (c *KMSClient) RetrievePresignature(ctx context.Context, walletID, sigID string) ([]byte, error)
- func (c *KMSClient) RotateKeyShare(ctx context.Context, walletID string, newKeyShare []byte) error
- func (c *KMSClient) StoreConfig(ctx context.Context, nodeID string, config interface{}) error
- func (c *KMSClient) StoreKeyShare(ctx context.Context, walletID string, keyShare []byte) error
- func (c *KMSClient) StoreMPCKeyShare(nodeID, walletID, keyType string, keyData []byte) error
- func (c *KMSClient) StorePresignature(ctx context.Context, walletID, sigID string, presigData []byte) error
- type KMSConfig
- type MPCKMSIntegration
- func (m *MPCKMSIntegration) BackupKeys(backupPath string, backupPassword string) error
- func (m *MPCKMSIntegration) ListStoredKeys() []EncryptedKey
- func (m *MPCKMSIntegration) RestoreKeys(backupPath string, backupPassword string) error
- func (m *MPCKMSIntegration) RetrieveInitiatorKey() ([]byte, error)
- func (m *MPCKMSIntegration) RetrieveMPCKeyShare(walletID string, keyType string) ([]byte, error)
- func (m *MPCKMSIntegration) RetrieveNodePrivateKey() ([]byte, error)
- func (m *MPCKMSIntegration) StoreInitiatorKey(privateKey []byte) error
- func (m *MPCKMSIntegration) StoreMPCKeyShare(walletID string, keyType string, share []byte) error
- func (m *MPCKMSIntegration) StoreNodePrivateKey(privateKey []byte) error
- type SecretMetadata
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DeriveKeyFromPassword ¶
DeriveKeyFromPassword derives a key from a password using scrypt
Types ¶
type EncryptedKey ¶
type EncryptedKey struct {
ID string `json:"id"`
Name string `json:"name"`
Type string `json:"type"`
Encrypted string `json:"encrypted"`
Salt string `json:"salt"`
Nonce string `json:"nonce"`
CreatedAt string `json:"created_at"`
Description string `json:"description"`
}
EncryptedKey represents an encrypted key in storage
type KMS ¶
type KMS struct {
// contains filtered or unexported fields
}
KMS represents a simple Key Management System
func (*KMS) ListKeys ¶
func (k *KMS) ListKeys() []EncryptedKey
ListKeys returns a list of all stored keys (without the actual key data)
func (*KMS) RetrieveKey ¶
RetrieveKey decrypts and retrieves a key
type KMSClient ¶
type KMSClient struct {
// contains filtered or unexported fields
}
KMSClient wraps the Lux KMS SDK for MPC key management
func NewKMSClient ¶
NewKMSClient creates a new Lux KMS client for secure key operations
func (*KMSClient) BatchRetrieve ¶
BatchRetrieve retrieves multiple secrets in a single operation
func (*KMSClient) BatchStore ¶
BatchStore stores multiple secrets in a single operation
func (*KMSClient) DeletePresignature ¶
DeletePresignature removes a used presignature
func (*KMSClient) Healthcheck ¶
Healthcheck verifies KMS connectivity
func (*KMSClient) ListSecrets ¶
ListSecrets lists all secrets in a given path
func (*KMSClient) RetrieveConfig ¶
RetrieveConfig retrieves MPC node configuration
func (*KMSClient) RetrieveKeyShare ¶
RetrieveKeyShare retrieves an MPC key share from Lux KMS
func (*KMSClient) RetrieveMPCKeyShare ¶
RetrieveMPCKeyShare retrieves an MPC key share with specific node and wallet IDs
func (*KMSClient) RetrievePresignature ¶
func (c *KMSClient) RetrievePresignature(ctx context.Context, walletID, sigID string) ([]byte, error)
RetrievePresignature retrieves a presignature from Lux KMS
func (*KMSClient) RotateKeyShare ¶
RotateKeyShare rotates the key share for a wallet
func (*KMSClient) StoreConfig ¶
StoreConfig stores MPC node configuration
func (*KMSClient) StoreKeyShare ¶
StoreKeyShare stores an MPC key share in Lux KMS
func (*KMSClient) StoreMPCKeyShare ¶
StoreMPCKeyShare stores an MPC key share with specific node and wallet IDs
type KMSConfig ¶
type KMSConfig struct {
ClientID string
ClientSecret string
ProjectID string
Environment string
SecretPath string
SiteURL string
}
KMSConfig holds configuration for Lux KMS integration
type MPCKMSIntegration ¶
type MPCKMSIntegration struct {
// contains filtered or unexported fields
}
MPCKMSIntegration provides KMS integration for MPC nodes
func NewMPCKMSIntegration ¶
func NewMPCKMSIntegration(nodeID string, dataDir string) (*MPCKMSIntegration, error)
NewMPCKMSIntegration creates a new MPC KMS integration
func (*MPCKMSIntegration) BackupKeys ¶
func (m *MPCKMSIntegration) BackupKeys(backupPath string, backupPassword string) error
BackupKeys creates an encrypted backup of all keys
func (*MPCKMSIntegration) ListStoredKeys ¶
func (m *MPCKMSIntegration) ListStoredKeys() []EncryptedKey
ListStoredKeys lists all keys stored for this node
func (*MPCKMSIntegration) RestoreKeys ¶
func (m *MPCKMSIntegration) RestoreKeys(backupPath string, backupPassword string) error
RestoreKeys restores keys from an encrypted backup
func (*MPCKMSIntegration) RetrieveInitiatorKey ¶
func (m *MPCKMSIntegration) RetrieveInitiatorKey() ([]byte, error)
RetrieveInitiatorKey retrieves the initiator private key
func (*MPCKMSIntegration) RetrieveMPCKeyShare ¶
func (m *MPCKMSIntegration) RetrieveMPCKeyShare(walletID string, keyType string) ([]byte, error)
RetrieveMPCKeyShare retrieves an MPC key share
func (*MPCKMSIntegration) RetrieveNodePrivateKey ¶
func (m *MPCKMSIntegration) RetrieveNodePrivateKey() ([]byte, error)
RetrieveNodePrivateKey retrieves the node's P2P private key
func (*MPCKMSIntegration) StoreInitiatorKey ¶
func (m *MPCKMSIntegration) StoreInitiatorKey(privateKey []byte) error
StoreInitiatorKey stores the initiator private key
func (*MPCKMSIntegration) StoreMPCKeyShare ¶
func (m *MPCKMSIntegration) StoreMPCKeyShare(walletID string, keyType string, share []byte) error
StoreMPCKeyShare stores an MPC key share
func (*MPCKMSIntegration) StoreNodePrivateKey ¶
func (m *MPCKMSIntegration) StoreNodePrivateKey(privateKey []byte) error
StoreNodePrivateKey stores the node's P2P private key
Source Files