Example Configuration File
The following shows a sample MPC node configuration file. It contains explanations of each configuration, and may serve as a summary of many of the topics discussed earlier in the Builder Vault User Manual.
# This is an example TSM node configuration file.
#
# Commented sections means that the feature is either disabled or used with default values.
# Commented variables are listed with their default values.
# Uncommented values are mandatory.
#
# Configuration values can be overridden with environment variables by setting
# TSM_PATH_TO_VALUE, e.g. TSM_MPC_THRESHOLD=2 to set MPC.Threshold to 2
# Defines the operating mode of the TSM node.
#[Mode]
# An embedded node does not listen on any ports and is used when integrating the TSM node
# directly in an application.
# When Embedded is enabled the player index must be 0. Usually an embedded node will not use
# a configuration file, so only set this to true if you know what you are doing.
#Embedded = false
# General configuration for MPC operations.
[MPC]
# When migrating from an older version of the TSM this parameter specifies how many players
# were in that TSM. Now the number of players is set individually for each MPC operation.
# Once a TSM is migrated to the new format, this parameter is no longer needed.
#PlayerCount = 0
# This used to be the security threshold for the entire TSM, but now the threshold is set
# individually for each key. This parameter is only used when migrating from an older version
# of the TSM where it is needed to properly convert key material to the new format. Once a
# TSM is migrated to the new format, this parameter is no longer needed.
#Threshold = 0
# Time to wait before all required connections between the MPC nodes have been established.
# When they have been established the MPC session will begin and the SessionTimeout will be
# used (see below).
#ConnectionTimeout = "10s"
# Time to wait before an MPC session times out.
#SessionTimeout = "3m"
# When another node sends us a message related to a session that is not yet started, that
# message (or connection) is stored as a pending session. We do this since not all sessions
# can be started at exactly the same time. This parameter allows us to control the number of
# pending sessions. Note that a malicious player can cause a denial of service attack by
# filling up this buffer. This can be mitigated to some extent by controlling the order in
# which sessions are started.
#MaxPendingSessions = 10000
# Configuration for the local player
[Player]
# All players in a TSM are identified by a player index. This is the index of the player
# running this TSM node. We refer to this player as the local player. Other players are
# called remote players.
Index = 0
# This is a base64 encoding of the private key used to authenticate the local player towards
# the remote players. This must correspond to the public keys configured on the remote
# players for this player index. A private key can be generated using the following OpenSSL
# commands:
#
# openssl genpkey -algorithm ed25519 -outform DER -out private.key
# openssl base64 -A -in private.key; echo
#
# Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128,
# 192 or 256 bits).
PrivateKey = "BA3E64=="
# This is a list of base64 encodings of DER encoding of the ASN.1 SubjectPublicKeyInfo
# structure of RSA public keys. This is a white list of public keys that are allowed to be
# used with export. It is possible to use a single string of "*" to allow any public key to
# be used.
ExportWhiteList = []
# The following is a list of players in the TSM with a static public key.
#
# If stream based communication is used (e.g. MPCTCPServer) then all players except player 0
# must be configured with a static public key. The logic is that lower numbered players open
# connections to higher numbered players, so URLs are not needed for players with a lower
# number than the local player.
#
# If packet based communication is used (e.g. MPCAMQPServer) then any player can be configured
# here with a static key. Other players can participate in an MPC protocol, but their public
# key must be provided when the MPC operation is started.
[Players.1]
# The protocol and address of player with index 1. Supported prootocols are tcp, ws and wss.
# If no protocol is specified then tcp is assumed. For tcp connections it is possible to
# specify the following additional options:
# - connectionPoolSize: Number of tcp connections to keep alive to this player if
# multiplexing is used. Default is 2.
# - connectionLifetime: Minimum lifetime of a tcp connection to this player. Default is 4
# hours.
Address = "tcp://player1:9000?connectionPoolSize=2&connectionLifetime=4h"
# This is a base64 encoding of the players public key. A public key can be generated from the
# private key using the following OpenSSL commands:
#
# openssl pkey -in private.key -pubout -outform DER -out public.key
# openssl base64 -A -in public.key; echo
PublicKey = "BA3E64=="
#[Players.2]
#Address = "..."
#PublicKey = "..."
# User authentication settings.
#[Authentication]
# Lifetime of the tokens for password based user authentication
#TokenLifetime = "5m"
# List of API keys used for authentication in SDKv2
#[[Authentication.APIKeys]]
# Only for SDK V2
# Base64 encoded hash of the API key. A hash for the API key foobar can be generated with
# the following command:
#
# echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64
#
# Crypt hashes with the following algoritms are also supported: MD5, SHA256, SHA512,
# bcrypt, Argon2i, Argon2id
#APIKey = ""
# Users with the given API key will be mapped to this user in the system. If the user does
# not exist, it will be created automatically. Set this to an existing user ID to migrate
# from password to API key authentication.
#ApplicationID = ""
# Setting related to authentication of users based on TLS client certificates.
#[TLSUserAuthentication]
# Points to a file containing PEM encoded certificates of CAs from which client certificates
# are accepted.
#ClientCAFile = ""
# Contains a comma separated list of base64 encoded certificates of CAs from which client
# certificates are accepted.
#ClientCAList = ""
# Enable OCSP validation of client certificates.
#OCSP = false
# Require the client to send a stapled OCSP response, otherwise validation will fail.
#OCSPRequireStapling = false
# If true then only the leaf certificate is validated. Otherwise, the entire chain is
# validated.
#OCSPValidateLeafOnly = false
# Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the
# OCSP response is used, otherwise the value of CacheTTL is used if it comes before
# ValidUntil.
#OCSPCacheTTL = "10m"
# Use this URL for all OCSP responders, regardless of what the certificate says.
#OCSPResponderURL = ""
# Use this hash algorithm for OCSP requests, usually SHA-1 or SHA-256. If empty then SHA-256
# is used.
#OCSPHashAlgorithm = ""
# If no applications are specified, all certificates will be granted access, and given an ID
# deduced from the Subject and Issuer of the certificate
# Access to applications is given based on values set in the certificates matching the values
# set in the filters below.
# To get a list of OIDs, here is an example:
#
# openssl list -objects | grep -i ", 2.5.4"
#
# The following text strings can also be used as keys:
# "commonName", "country", "locality", "stateOrProvince", "streetAddress", "organization",
# "organizationalUnit", "postalCode", "serialNumber", "givenName", and "surname"
# For values expecting an array of strings, use "v1, v2"
# You can use SerialNumber directly (certificate root field) or any fields found under
# Subject ("Subject/...") or
# Issuer ("Issuer/...")
#[[TLSUserAuthentication.Applications]]
#ID = "MyApplicationID"
#[[TLSUserAuthentication.Applications.Filters]]
#"Issuer/2.5.4.3" = "value 00" # commonName in Issuer
#"Subject/2.5.4.6" = "value 01, value 02" # country in Subject
#"Subject/2.5.4.11" = "value 03" # organizationalUnit in Subject
#[[TLSUserAuthentication.Applications.Filters]]
#"Issuer/Organization" = "value 10" # organizational in Issuer
#"Serialnumber" = "value 13" # The certificate serial number
# Setting related to authentication of users based on OIDC Access Tokens.
#[OIDCAccessTokenAuthentication]
# List of supported OIDC issuer URLs.
#OIDCIssuers = []
# Configuration for applications that are allowed to access the TSM
#[[OIDCAccessTokenAuthentication.AccessTokens]]
# The ID of the application to authenticate, or a reference to a claim which value should
# be used as application ID. Application IDs must match the regex ^[a-zA-Z0-9_-]+$. This
# will map to a certain set of key IDs.
# ApplicationID = "application ID" | "$CLAIM:claim"
# Must match audience (aud) in access token
# Audience = "audience value"
# EITHER
# The URL of the discovery document for this access token, used to retrieve the public
# key. Defaults to issuer + "/.well-known/openid-configuration".
# OR
# if PublicKey is specified, DiscoveryDocURL is ignored.
# DiscoveryDocURL = issuer + "/.well-known/openid-configuration"
# This is a base64 encoding of the players public key. A public key can be generated
# from the private key using the following OpenSSL commands:
#
# openssl ec -inform DER -in private.key -pubout -outform DER -out public.key
# openssl base64 -A -in public.key; echo
#
# PublicKey = "BA3E64=="
# The claims which the access token needs to match. If no claims are required, you still
# need to add an empty section.
#[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
# claim0 = "claim value 0"
#[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
# claim1 = "claim value 1"
# claim2 = "claim value 2"
# Database connection configuration.
[Database]
# The driver used for the database. The following database drivers are supported: sqlite3,
# mysql and postgres.
DriverName = "sqlite3"
# The name of the datasource. This example shows a SQLite file backed database. For MySQL an
# example of a datasource name could be:
#
# USER:PASSWORD@HOST:3306/DATABASE_NAME?parseTime=true
#
# and for postgres:
#
# postgres://USER:PASSWORD@HOST:5432/DATABASE_NAME?sslmode=disable
DataSourceName = "/tmp/tsmdb"
# This specifies a master encryption key used to protect database records. Note that this key
# is not directly used to encrypt data. Use any long random string here and make sure to keep
# a backup of it somewhere safe.
EncryptorMasterPassword = "ENCRYPTION_KEY"
# An alternative to specifying a password for encryption is to use a key file. Here the
# content of the key file is hashed and used as the master password. This is useful if one
# does not want to store the master password in the configuration file. After the TSM node
# has started up this file is no longer needed until next startup.
#EncryptorKeyFile = ""
# Allows specifying a plugin that is loaded and used before the internal TSM encryptions is
# performed. Any handling of the data is done in addition to the normal encryption. The
# plugin path can be absolute, or local. If local it will need to be located in the path of
# LD_LIBRARY_PATH. The plugin must implement the plugin functions defined in the plugin-
# interface.h header file.
# The plugin MUST ensure that keyshares are handled securely, as failure to do so may
# compromise the security of the installation.
#ExternalEncryptorPlugin = ""
# The maximum number of idle connections in the database connection pool. When using SQLite
# this should be set to 1.
#MaxIdleConns = 500
# The maximum number of open connections in the database connection pool. When using SQLite
# this should be set to 1.
#MaxOpenConns = 500
# The maximum time a database connection can be open before it is closed. A value of 0
# disables closing of connections.
#ConnMaxLifetime = "3m"
# The maximum time a database connection can be idle before it is close. A value of 0
# disables closing of idle connections.
#ConnMaxIdleTime = 0
# Controls how long key shares should be cached in memory. Setting this too high can cause
# issues when running in a load balanced setup together with operations that modify key
# shares, such as reshare.
#KeyShareCacheTTL = "1s"
# MPC server accepting multiplexed TCP connections from other players.
# At least one MPC server must be specified if the player index is greater than 0.
[MPCTCPServer]
# Port number that this server listens on.
Port = 9000
# Settings this to true disables multiplexing.
#DisableMultiplexing = false
# MPC server accepting WebSocket connections from other players.
# At least one MPC server must be specified if the player index is greater than 0.
#[MPCWebSocketServer]
# Port number that this server listens on.
#Port = 9001
# Points to a file containing a PEM encoded certificate which will be used for this
# connection. Setting this enables the use of WSS instead of WS.
#CertificateFile = ""
# The private key corresponding to the certificate above.
#CertificateKeyFile = ""
# MPC server using an AMQP message broker to communicate with other players. Cannot be used
# with other MPC servers.
#[MPCAMQPServer]
# URL for the AMQP message broker
# For a local test instance with the default vhost and guest user the following URL can be
# used:
#
# amqp://guest:guest@localhost:5672/
#ServerURL = ""
# When connection to the broker drops or sending of a message fails, how long should we wait
# before retrying
#RetryDelay = "5s"
# Specify how many channels should be used when sending messages to the broker. You might
# want to increase this value if you enable PublisherConfirms below.
#ChannelPoolSize = 2
# Use the RabbitMQ specific publisher confirms feature. This configures the RabbitMQ server
# to confirm each message before that message is considered delivered by the client. This
# makes the communication with the broker more resillient when the broker restarts or the
# network connection fails during a session, but it also has a performance impact.
#PublisherConfirms = false
# Instruct the message broker to persist messages. If using durable queues this ensures that
# messages will survice a restart of the broker.
#PersistMessages = false
# If DynamicQueues is true then a new queue is created on the broker for each session,
# instead of using a fixed queue for each player. Dynamic queues are less reliable in case of
# network failures, but allows for multiple nodes behind a load balancer. The parameters
# PublisherConfirms, PersistMessages and SkipSetup have no effect on dynamic queues.
# All players must use the same type of queues.
#DynamicQueues = false
# If SkipSetup is false the client will automatically create exchange and queues on the
# broker. However, if you need more control over who can send and receive messages set this
# to true and configure the broker like this:
#
# First you need to know how to get the player ID of a player. The player ID is computed by
# first using SHA-256 to hash the public key and then base64 URL encode (without padding) the
# output of the hash function.
#
# 1. Create a direct exchange with the name tsm.direct
# 2. Create a queue for each player with the name tsm.playerID and an x-message-ttl of #
# session timeout + connection timeout
# 3. Bind the queues above to the exchange with the queue name as the binding key
# 4. Grant all users write access to the exchange
# 5. Grant all users read access to their own queue
#SkipSetup = false
# MPC server using Redis to communicate with other players. Cannot be used with other MPC
# servers.
#
# It's recommended that you restrict what users can do on the Redis server. To create a user
# 'player0' with password 'pw0' for use by a TSM node, you need the following ACL:
#
# ACL SETUSER player0 on >pw0 ~tsm:* +ping +blmpop +rpush +expire
#
# If you have ExpireKeys set to true, you also need to add +expire to the list above.
#[MPCRedisServer]
# URL for the Redis server
# For a local instance with no access control the following URL can be used:
#
# redis://localhost:6379/0
#ServerURL = ""
# Redis pipelining is used when sending messages. This is the maximum number of messages that
# goes into one pipeline before being sent to the Redis server.
#SendBatchSize = 20
# When calling BLMPOP to retrive messages from Redis, this is the maximum number of lists to
# query in one call.
#ReceiveBatchSize = 20
# This controls how many Redis connections are used for fetching messages from the server.
#MaxMessageReceivers = 30
# Number of sessions that can be running at the same time on this TSM node. If you don't need
# that many sessions, you can lower this number and save a little memory.
#MaxSessions = 10000
# Choose whether keys will automatically expire or not. Under normal operation keys will be
# deleted once the MPC
# session finishes, but in case of MPC session failure some data might remain.
# Automatically expiring keys are disabled by default since it's normally handled by the
# servers eviction policy.
#ExpireKeys = false
# Set this to true if you are running a Redis cluster. Only use this if you really need a
# Redis cluster. In most cases you will get much better performance without a cluster.
#ClusterMode = false
# Server accepting connections from the SDK. This must be specified unless the TSM node is
# running as a local node.
[SDKServer]
# Port number that this server listens on.
Port = 8080
# Points to a file containing PEM encoded certificates of root CAs for the server
# certificate. Currently, this is only used when the server is configured to do OCSP
# stapling.
#CAFile = ""
# Contains a comma separated list of base64 encoded certificates of root CAs for the server
# certificate. Currently, this is only used when the server is configured to do OCSP
# stapling.
#CAList = ""
# Points to a file containing a PEM encoded certificate (and any intermediates) which will be
# used for this connection. Setting this enables the use of HTTPS instead of HTTP.
#CertificateFile = ""
# This contains the base64 certificate inline instead of giving it in a file in the previous
# entry.
#CertificateBytes = ""
# The private key corresponding to the certificate above.
#CertificateKeyFile = ""
# This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the
# previous entry.
#CertificateKeyBytes = ""
# Performs OCSP stapling by attaching an OCSP response to the server certificate.
#OCSPStaple = false
# Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the
# OCSP response is used, otherwise the value of CacheTTL is used if it comes before
# ValidUntil.
#OCSPCacheTTL = "10m"
# Use this URL for all OCSP responders, regardless of what the certificate says.
#OCSPResponderURL = ""
# Use this hash algorithm for OCSP requests, usually SHA-1 or SHA-256. If empty then SHA-256
# is used.
#OCSPHashAlgorithm = ""
#[SDKServer.HTTPResponseHeaders]
# Access-Control-Allow-Origin = "*"
# Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
# Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"
# This setting enables multiple instances of the same player to be placed behind a load
# balancer. Each instance will either handle sessions itself or route the traffic to other
# instances.
#[MultiInstance]
# IP address where this instance can be reached from other the instances. If not specified an
# auto-detected address is used and this might not be the address you want if there are
# multiple IP addresses associated with the system.
#Address = ""
# SDK port announced to the other nodes. If not specified it defaults to the SDK port from
# the [SDKServer] section.
#SDKPort = 0
# MPC port announced to the other nodes. If not specified it defaults to the SDK port from
# the [MPCTCPServer] section.
#MPCPort = 0
# How often should we run a cleanup job that purges old routing entries from the database.
#CleanupInterval = "5m"
# Every CleanupInteval the cleanup job will run with this probability. 0 means never and 100
# means always.
#CleanupProbability = 25
# This section is used for initializing the server with values specified in the configuration
# instead of other sources.
#[Initializers]
# This adds the option to set the wrapping key used for exporting key shares. It will only
# work if the wrapping key has not already been set or generated. This must be an RSA key in
# a DER encoded PKCS#1 structure.
#WrappingPrivateKey = "BA3E64=="
# The following two entries can be used to bootstrap the node to a specific Administrator
# name and password. If used, both entries must be set in which case the administrator will
# be created with the specified password. This will only work if an administrator have not
# already been created.
#AdministratorUsername = ""
#AdministratorPassword = ""
# Server used to access various internal performance counters, both Golang and MPC related.
# Default format is Golang's build-in expvar. Can be configured to be Prometheus
#[MetricsServer]
#Port = 10000
#Prometheus = false
# For use in a browser (e.g. WASM), the following values should be set
#[MetricsServer.HTTPResponseHeaders]
# Access-Control-Allow-Origin = "*"
# Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
# Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"
# Server used for serving runtime profiling data in the format expected by the pprof
# visualization tool. This requires that the TSM node is compiled with profiling enabled. Only
# used for internal debugging.
#[ProfilingServer]
#Port = 11000
# Configures system logging for the TSM node. The top level values specifies a default logger.
# For more advanced logging configuration, specify one or more of the [Log.X] configurations
# below. If any of these configurations are specified, they will override the top level
# configuration.
#[Log]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to
# INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# If specified, logs will be written to this file. If empty, logs will be written to standard
# out.
#FilePath = ""
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger logs to standard out.
#[Log.StdoutLogger]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default
# to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# These logger log to files. It is possible to specify more than one file logger to log to
# different files.
#[[Log.FileLoggers]]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default
# to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# Log to this file. If it does not exist, it will be created.
#FilePath = ""
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger logs to syslog.
#[Log.SyslogLogger]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default
# to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger logs to AWS CloudWatch.
#[Log.CloudWatchLogger]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default
# to INFO.
#Level = "INFO"
# Specify the AWS region here. This field is required.
#Region = ""
# Specify the AWS log group name. This field is required.
#LogGroupName = ""
# Specify the AWS log stream name. This field is required.
#LogStreamName = ""
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger will discard all logs. Set this as the only logger to disable logging
# completely. Adding this in addition to other loggers has no effect.
#[Log.DiscardLogger]
# If this section is present then certain operations on the TSM node are stored in an audit
# log. The audit log is periodically signed and uploaded to an audit receiver.
#[Audit]
# URL of the audit receiver. Audit logs are sent to this URL using HTTP POST requests.
# Can be a file, HTTP location or s3 location: file://, https://, s3://
#ReceiverURL = ""
# Public key of the audit receiver. This corresponds to the public key in the TLS
# certificate.
#ReceiverPublicKey = "BA3E64=="
# Private key used to establish a connection to the audit receiver using mTLS.
#ClientPrivateKey = "BA3E64=="
# Log entries are signed before they are uploaded to the audit receiver. This is the 32 byte
# seed used to generate an Ed25519 signing key per RFC-8032.
#LogEntrySigningKeySeed = "BA3E64=="
# Maximum number of audit log entries that are sent in one request.
#MaxBatchSize = 50
# Minimum time to wait before checking for new audit log entries to upload.
#MinWaitTime = "15s"
# Maximum time to wait before checking for new audit log entries to upload.
#MaxWaitTime = "2m"
# When using an S3-compatible API as the ReceiverURL in [Audit], specify any
# non-standard S3 related parameters here
#[Audit.S3EndpointConfig]
# If not using the default S3 endpoint, specify the custom one here
#EndpointURL = ""
# AWS or S3-compatible API region
#Region = ""
# Authorization keys for the S3-compatible API
#SecretAccessKey = ""
#AccessKeyId = ""
#SessionToken = ""
# The configurations below are for the individual MPC protocols supported by the TSM. Comment a
# protocol to disable it. In the following n denotes the total number of players and t is the
# security threshold.
# Computes ECDSA signatures. This protocol requires n >= 2t+1. Cannot be enabled together with
# DKLS19, or DKLS23.
#[SEPH18S]
# Shortest allowed BIP-32 chain path.
#MinChainPathLength = 0
# Cache size for intermediate public keys when using BIP-32 chain paths.
#Bip32CacheSize = 1024
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 1000
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 50000
# Controls which features of SEPH18S to enable. Each field corresponds to a method in the SDK.
#[SEPH18S.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#BackupKeyShare = false
#RestoreKeyShare = false
#ExportKeyShares = false
#ImportKeyShares = false
#BIP32GenerateSeed = false
#BIP32DeriveFromSeed = false
#BIP32DeriveFromKey = false
#BIP32ConvertKey = false
#BIP32ExportSeed = false
#BIP32ImportSeed = false
#BIP32Info = false
# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together with
# SEPH18S, or DKLS23.
#[DKLS19]
# Shortest allowed BIP-32 chain path.
#MinChainPathLength = 0
# Cache size for intermediate public keys when using BIP-32 chain paths.
#Bip32CacheSize = 1024
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 100
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 5000
# Controls which features of DKLS19 to enable. Each field corresponds to a method in the SDK.
#[DKLS19.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#BackupKeyShare = false
#RestoreKeyShare = false
#ExportKeyShares = false
#ImportKeyShares = false
#BIP32GenerateSeed = false
#BIP32DeriveFromSeed = false
#BIP32DeriveFromKey = false
#BIP32ConvertKey = false
#BIP32ExportSeed = false
#BIP32ImportSeed = false
#BIP32Info = false
# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together
# with SEPH18S, or DKLS19.
#[DKLS23]
# Shortest allowed BIP-32 chain path.
#MinChainPathLength = 0
# Cache size for intermediate public keys when using BIP-32 chain paths.
#Bip32CacheSize = 1024
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 100
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 5000
# Whether to allow running the protocol with optimization, possible values are: inMemory,
# database.
# More information: https://builder-vault-tsm.docs.blockdaemon.com/docs/mpc-protocols#dkls23
# DeactivatedPlayersCache = "inMemory"
# Controls which features of DKLS23 to enable. Each field corresponds to a method in the SDK.
#[DKLS23.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#BackupKeyShare = false
#RestoreKeyShare = false
#ExportKeyShares = false
#ImportKeyShares = false
#BIP32GenerateSeed = false
#BIP32DeriveFromSeed = false
#BIP32DeriveFromKey = false
#BIP32ConvertKey = false
#BIP32ExportSeed = false
#BIP32ImportSeed = false
#BIP32Info = false
# Computes Ed25519 and Ed448 signatures. This protocol only requires t < n.
#[SEPD19S]
# Shortest allowed chain path. A chain path is used to derive many keys from a single master
# key.
#MinChainPathLength = 0
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 1000
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 100000
# Controls which features of SEPD19S to enable. Each field corresponds to a method in the SDK.
#[SEPD19S.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#BackupKeyShare = false
#RestoreKeyShare = false
#ExportKeyShares = false
#ImportKeyShares = false
# Computes RSA signing and decryption.
#[ADN06]
# Controls which features of ADN06 to enable. Each field corresponds to a method in the SDK.
#[ADN06.Features]
#PublicKey = false
#SignPKCS1v15 = false
#SignPSS = false
#Decrypt = false
#ExportKeyShares = false
#ImportKeyShares = false
# Computes the ECDH function. This protocol only requires t < n.
#[SEPD20ECDH]
# Controls which features of SEPD20ECDH to enable. Each field corresponds to a method in the
# SDK.
#[SEPD20ECDH.Features]
#GenerateKey = false
#ComputeSecret = false
#PublicKey = false
# Sends a message to all players.
#[BROADCAST]
# Maximum size in bytes for a broadcast message.
#MaxMessageLength = 65536
# Controls which features of BROADCAST to enable. Each field corresponds to a method in the
# SDK.
#[BROADCAST.Features]
#SimpleBroadcast = false
#AdvancedBroadcast = false
# The following protocols are general MPC protocols used for AES, HMAC, AN10992 and RFC5649.
# At most one of them can be enabled at the same time. When in doubt use MRZ15.
# General MPC protocol for n = 3 and t = 1. Based on https://eprint.iacr.org/2015/931
#[MRZ15]
# Controls which AES features are enabled for MRZ15. Each field corresponds to a method in the # SDK.
#[MRZ15.AESFeatures]
#GenerateKey = false
#ExportKeyShares = false
#ImportKeyShares = false
#CTRKeyStream = false
#CBCEncrypt = false
#CBCDecrypt = false
#GCMEncrypt = false
#GCMDecrypt = false
#CMAC = false
# Controls which HMAC features are enabled for MRZ15. Each field corresponds to a method in the
# SDK.
#[MRZ15.HMACFeatures]
#GenerateKey = false
#ExportKeyShares = false
#ImportKeyShares = false
#HMACSHA256 = false
#HMACSHA512 = false
# Controls which AN10922 features are enabled for MRZ15. Each field corresponds to a method in
# the SDK.
#[MRZ15.AN10922Features]
#ImportKeyShares = false
#DeriveAESKey = false
#Checksum = false
# Controls which RFC5649 features are enabled for MRZ15. Each field corresponds to a method in
# the SDK.
#[MRZ15.RFC5649Features]
#ImportKeyShares = false
#AesWrapBlobWithPadding = false
# General MPC protocol two playeres. Based on https://eprint.iacr.org/2017/189
#[WRK17]
#KeySize = 16
#Rho = 40
#BucketSize = 4
# Controls which AES features are enabled for WRK17. Each field corresponds to a method in the
# SDK.
#[WRK17.AESFeatures]
#GenerateKey = false
#ExportKeyShares = false
#ImportKeyShares = false
#CTRKeyStream = false
#CBCEncrypt = false
#CBCDecrypt = false
#GCMEncrypt = false
#GCMDecrypt = false
#CMAC = false
# Controls which HMAC features are enabled for WRK17. Each field corresponds to a method in the
# SDK.
#[WRK17.HMACFeatures]
#GenerateKey = false
#ExportKeyShares = false
#ImportKeyShares = false
#HMACSHA256 = false
#HMACSHA512 = false
# Controls which AN10922 features are enabled for WRK17. Each field corresponds to a method in
# the SDK.
#[WRK17.AN10922Features]
#ImportKeyShares = false
#DeriveAESKey = false
#Checksum = false
Updated 22 days ago