Example Configuration File

The following shows a sample MPC node configuration file. It contains explanations of each configuration, and may serve as a summary of many of the topics discussed earlier in the Builder Vault User Manual.

# This is an example TSM node configuration file.
#
# Commented sections means that the feature is either disabled or used with default values.
# Commented variables are listed with their default values.
# Uncommented values are mandatory.
#
# Configuration values can be overridden with environment variables by setting
# TSM_PATH_TO_VALUE, e.g. TSM_MPC_THRESHOLD=2 to set MPC.Threshold to 2

# Defines the operating mode of the TSM node.
#[Mode]

  # An embedded node does not listen on any ports and is used when integrating the TSM node
  # directly in an application.
  # When Embedded is enabled the player index must be 0. Usually an embedded node will not use
  # a configuration file, so only set this to true if you know what you are doing.
  #Embedded = false

# General configuration for MPC operations.
[MPC]

  # When migrating from an older version of the TSM this parameter specifies how many players 
  # were in that TSM. Now the number of players is set individually for each MPC operation.
  # Once a TSM is migrated to the new format, this parameter is no longer needed.
  #PlayerCount = 0
  
  # This used to be the security threshold for the entire TSM, but now the threshold is set
  # individually for each key. This parameter is only used when migrating from an older version
  # of the TSM where it is needed to properly convert key material to the new format. Once a
  # TSM is migrated to the new format, this parameter is no longer needed.
  #Threshold = 0
  
  # Time to wait before all required connections between the MPC nodes have been established.
  # When they have been established the MPC session will begin and the SessionTimeout will be
  # used (see below).
  #ConnectionTimeout = "10s"
  
  # Time to wait before an MPC session times out.
  #SessionTimeout = "3m"
  
  # When another node sends us a message related to a session that is not yet started, that
  # message (or connection) is stored as a pending session. We do this since not all sessions
  # can be started at exactly the same time. This parameter allows us to control the number of
  # pending sessions. Note that a malicious player can cause a denial of service attack by
  # filling up this buffer. This can be mitigated to some extent by controlling the order in
  # which sessions are started.
  #MaxPendingSessions = 10000

# Configuration for the local player
[Player]

  # All players in a TSM are identified by a player index. This is the index of the player 
  # running this TSM node. We refer to this player as the local player. Other players are
  # called remote players.
  Index = 0
  
  # This is a base64 encoding of the private key used to authenticate the local player towards 
  # the remote players. This must correspond to the public keys configured on the remote
  # players for this player index. A private key can be generated using the following OpenSSL
  # commands:
  #
  #     openssl genpkey -algorithm ed25519 -outform DER -out private.key
  #     openssl base64 -A -in private.key; echo
  #
  # Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128, 
  # 192 or 256 bits).
  PrivateKey = "BA3E64=="
  
  # This is a list of base64 encodings of DER encoding of the ASN.1 SubjectPublicKeyInfo 
  # structure of RSA public keys. This is a white list of public keys that are allowed to be 
  # used with export. It is possible to use a single string of "*" to allow any public key to 
  # be used.
  ExportWhiteList = []

# The following is a list of players in the TSM with a static public key.
#
# If stream based communication is used (e.g. MPCTCPServer) then all players except player 0 
# must be configured with a  static public key. The logic is that lower numbered players open 
# connections to higher numbered players, so URLs are not needed for players with a lower 
# number than the local player.
#
# If packet based communication is used (e.g. MPCAMQPServer) then any player can be configured 
# here with a static key. Other players can participate in an MPC protocol, but their public 
# key must be provided when the MPC operation is started.
[Players.1]

  # The protocol and address of player with index 1. Supported prootocols are tcp, ws and wss. 
  # If no protocol is specified then tcp is assumed. For tcp connections it is possible to 
  # specify the following additional options:
  #  - connectionPoolSize: Number of tcp connections to keep alive to this player if 
  # multiplexing is used. Default is 2.
  #  - connectionLifetime: Minimum lifetime of a tcp connection to this player. Default is 4 
  # hours.
  Address = "tcp://player1:9000?connectionPoolSize=2&connectionLifetime=4h"
  
  # This is a base64 encoding of the players public key. A public key can be generated from the 
  # private key using the following OpenSSL commands:
  #
  #     openssl pkey -in private.key -pubout -outform DER -out public.key
  #     openssl base64 -A -in public.key; echo
  PublicKey = "BA3E64=="

#[Players.2]
  #Address = "..."
  #PublicKey = "..."

# User authentication settings.
#[Authentication]

  # Lifetime of the tokens for password based user authentication
  #TokenLifetime = "5m"
  
  # List of API keys used for authentication in SDKv2
  #[[Authentication.APIKeys]]
  
    # Only for SDK V2
    # Base64 encoded hash of the API key. A hash for the API key foobar can be generated with 
    # the following command:
    #
    #     echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64
    #
    # Crypt hashes with the following algoritms are also supported: MD5, SHA256, SHA512, 
    # bcrypt, Argon2i, Argon2id
    
    #APIKey = ""
    # Users with the given API key will be mapped to this user in the system. If the user does 
    # not exist, it will be created automatically. Set this to an existing user ID to migrate 
    # from password to API key authentication.
    #ApplicationID = ""

# Setting related to authentication of users based on TLS client certificates.
#[TLSUserAuthentication]

  # Points to a file containing PEM encoded certificates of CAs from which client certificates 
  # are accepted.
  #ClientCAFile = ""

	# Contains a comma separated list of base64 encoded certificates of CAs from which client 
  # certificates are accepted.
  #ClientCAList = ""
  # Enable OCSP validation of client certificates.
  #OCSP = false
  
  # Require the client to send a stapled OCSP response, otherwise validation will fail.
  #OCSPRequireStapling = false
  
  # If true then only the leaf certificate is validated. Otherwise, the entire chain is 
  # validated.
  #OCSPValidateLeafOnly = false
  
  # Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the 
	# OCSP response is used, otherwise the value of CacheTTL is used if it comes before 
  # ValidUntil.
  #OCSPCacheTTL = "10m"

	# Use this URL for all OCSP responders, regardless of what the certificate says.
  #OCSPResponderURL = ""
  
  # Use this hash algorithm for OCSP requests, usually SHA-1 or SHA-256. If empty then SHA-256 
  # is used.
  #OCSPHashAlgorithm = ""

  # If no applications are specified, all certificates will be granted access, and given an ID 
  # deduced from the Subject and Issuer of the certificate
  # Access to applications is given based on values set in the certificates matching the values 
  # set in the filters below.
  # To get a list of OIDs, here is an example:
  #
  #     openssl list -objects | grep -i ", 2.5.4"
  #
  # The following text strings can also be used as keys:
  # "commonName", "country", "locality", "stateOrProvince", "streetAddress", "organization", 
  # "organizationalUnit", "postalCode", "serialNumber", "givenName", and "surname"
  # For values expecting an array of strings, use "v1, v2"
  # You can use SerialNumber directly (certificate root field) or any fields found under 
  # Subject ("Subject/...") or
  # Issuer ("Issuer/...")
  #[[TLSUserAuthentication.Applications]]
  #ID = "MyApplicationID"
  #[[TLSUserAuthentication.Applications.Filters]]
  #"Issuer/2.5.4.3" = "value 00"             # commonName in Issuer
  #"Subject/2.5.4.6" = "value 01, value 02"  # country in Subject
  #"Subject/2.5.4.11" = "value 03"           # organizationalUnit in Subject
  #[[TLSUserAuthentication.Applications.Filters]]
  #"Issuer/Organization" = "value 10"        # organizational in Issuer
  #"Serialnumber" = "value 13"               # The certificate serial number

# Setting related to authentication of users based on OIDC Access Tokens.
#[OIDCAccessTokenAuthentication]

  # List of supported OIDC issuer URLs.
  #OIDCIssuers = []
  
  # Configuration for applications that are allowed to access the TSM
  #[[OIDCAccessTokenAuthentication.AccessTokens]]
  
    # The ID of the application to authenticate, or a reference to a claim which value should
    # be used as application ID. Application IDs must match the regex ^[a-zA-Z0-9_-]+$. This
    # will map to a certain set of key IDs.
    # ApplicationID = "application ID" | "$CLAIM:claim"

    # Must match audience (aud) in access token
    # Audience = "audience value"

    # EITHER 
    #   The URL of the discovery document for this access token, used to retrieve the public
    #   key. Defaults to issuer + "/.well-known/openid-configuration".
    # OR
    #   if PublicKey is specified, DiscoveryDocURL is ignored.
    # DiscoveryDocURL = issuer + "/.well-known/openid-configuration"

    # This is a base64 encoding of the players public key. A public key can be generated
    # from the private key using the following OpenSSL commands:
    #
    #     openssl ec -inform DER -in private.key -pubout -outform DER -out public.key
    #     openssl base64 -A -in public.key; echo
    #
    # PublicKey = "BA3E64=="

    # The claims which the access token needs to match. If no claims are required, you still
    # need to add an empty section.
    #[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
    #  claim0 = "claim value 0"
    #[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
    #  claim1 = "claim value 1"
    #  claim2 = "claim value 2"

# Database connection configuration.
[Database]

  # The driver used for the database. The following database drivers are supported: sqlite3, 
  # mysql and postgres.
  DriverName = "sqlite3"

	# The name of the datasource. This example shows a SQLite file backed database. For MySQL an 
  # example of a datasource name could be:
  #
  #     USER:PASSWORD@HOST:3306/DATABASE_NAME?parseTime=true
  #
  # and for postgres:
  #
  #     postgres://USER:PASSWORD@HOST:5432/DATABASE_NAME?sslmode=disable
  DataSourceName = "/tmp/tsmdb"

	# This specifies a master encryption key used to protect database records. Note that this key 
  # is not directly used to encrypt data. Use any long random string here and make sure to keep 
  # a backup of it somewhere safe.
  EncryptorMasterPassword = "ENCRYPTION_KEY"

	# An alternative to specifying a password for encryption is to use a key file. Here the 
  # content of the key file is hashed and used as the master password. This is useful if one 
  # does not want to store the master password in the configuration file. After the TSM node 
  # has started up this file is no longer needed until next startup.
  #EncryptorKeyFile = ""

	# Allows specifying a plugin that is loaded and used before the internal TSM encryptions is 
  # performed. Any handling of the data is done in addition to the normal encryption. The 
  # plugin path can be absolute, or local. If local it will need to be located in the path of 
  # LD_LIBRARY_PATH. The plugin must implement the plugin functions defined in the plugin-
  # interface.h header file.
  # The plugin MUST ensure that keyshares are handled securely, as failure to do so may 
  # compromise the security of the installation.
  #ExternalEncryptorPlugin = ""

	# The maximum number of idle connections in the database connection pool. When using SQLite 
  # this should be set to 1.
  #MaxIdleConns = 500

	# The maximum number of open connections in the database connection pool. When using SQLite 
  # this should be set to 1.
  #MaxOpenConns = 500

	# The maximum time a database connection can be open before it is closed. A value of 0 
  # disables closing of connections.
  #ConnMaxLifetime = "3m"

	# The maximum time a database connection can be idle before it is close. A value of 0 
  # disables closing of idle connections.
  #ConnMaxIdleTime = 0

	# Controls how long key shares should be cached in memory. Setting this too high can cause 
  # issues when running in a load balanced setup together with operations that modify key 
  # shares, such as reshare.
  #KeyShareCacheTTL = "1s"

# MPC server accepting multiplexed TCP connections from other players.
# At least one MPC server must be specified if the player index is greater than 0.
[MPCTCPServer]

	# Port number that this server listens on.
  Port = 9000
  
  # Settings this to true disables multiplexing.
  #DisableMultiplexing = false

# MPC server accepting WebSocket connections from other players.
# At least one MPC server must be specified if the player index is greater than 0.
#[MPCWebSocketServer]
  
  # Port number that this server listens on.
  #Port = 9001
  
  # Points to a file containing a PEM encoded certificate which will be used for this 
  # connection. Setting this enables the use of WSS instead of WS.
  #CertificateFile = ""

	# The private key corresponding to the certificate above.
  #CertificateKeyFile = ""

# MPC server using an AMQP message broker to communicate with other players. Cannot be used 
# with other MPC servers.
#[MPCAMQPServer]
  
  # URL for the AMQP message broker
  # For a local test instance with the default vhost and guest user the following URL can be 
  # used:
  #
  #     amqp://guest:guest@localhost:5672/
  #ServerURL = ""
  
  # When connection to the broker drops or sending of a message fails, how long should we wait 
  # before retrying
  #RetryDelay = "5s"
  
  # Specify how many channels should be used when sending messages to the broker. You might 
  # want to increase this value if you enable PublisherConfirms below.
  #ChannelPoolSize = 2

	# Use the RabbitMQ specific publisher confirms feature. This configures the RabbitMQ server 
  # to confirm each message before that message is considered delivered by the client. This 
  # makes the communication with the broker more resillient when the broker restarts or the 
  # network connection fails during a session, but it also has a performance impact.
  #PublisherConfirms = false
 
 	# Instruct the message broker to persist messages. If using durable queues this ensures that 
  # messages will survice a restart of the broker.
  #PersistMessages = false

	# If DynamicQueues is true then a new queue is created on the broker for each session, 
  # instead of using a fixed queue for each player. Dynamic queues are less reliable in case of 
  # network failures, but allows for multiple nodes behind a load balancer. The parameters 
  # PublisherConfirms, PersistMessages and SkipSetup have no effect on dynamic queues.
  # All players must use the same type of queues.
  #DynamicQueues = false
  
  # If SkipSetup is false the client will automatically create exchange and queues on the 
  # broker. However, if you need more control over who can send and receive messages set this 
  # to true and configure the broker like this:
  #
  # First you need to know how to get the player ID of a player. The player ID is computed by 
  # first using SHA-256 to hash the public key and then base64 URL encode (without padding) the 
  # output of the hash function.
  #
  # 1. Create a direct exchange with the name tsm.direct
  # 2. Create a queue for each player with the name tsm.playerID and an  x-message-ttl of # 
  # session timeout + connection timeout
  # 3. Bind the queues above to the exchange with the queue name as the binding key
  # 4. Grant all users write access to the exchange
  # 5. Grant all users read access to their own queue
  #SkipSetup = false

# MPC server using Redis to communicate with other players. Cannot be used with other MPC 
# servers.
#
# It's recommended that you restrict what users can do on the Redis server. To create a user 
# 'player0' with password 'pw0' for use by a TSM node, you need the following ACL:
#
# ACL SETUSER player0 on >pw0 ~tsm:* +ping +blmpop +rpush +expire
#
# If you have ExpireKeys set to true, you also need to add +expire to the list above.
#[MPCRedisServer]

	# URL for the Redis server
  # For a local instance with no access control the following URL can be used:
  #
  # redis://localhost:6379/0
  #ServerURL = ""
  
  # Redis pipelining is used when sending messages. This is the maximum number of messages that 
  # goes into one pipeline before being sent to the Redis server.
  #SendBatchSize = 20

	# When calling BLMPOP to retrive messages from Redis, this is the maximum number of lists to 
  # query in one call.
  #ReceiveBatchSize = 20
  
  # This controls how many Redis connections are used for fetching messages from the server.
  #MaxMessageReceivers = 30
  
  # Number of sessions that can be running at the same time on this TSM node. If you don't need 
  # that many sessions, you can lower this number and save a little memory.
  #MaxSessions = 10000

	# Choose whether keys will automatically expire or not. Under normal operation keys will be 
  # deleted once the MPC
  # session finishes, but in case of MPC session failure some data might remain.
  # Automatically expiring keys are disabled by default since it's normally handled by the 
  # servers eviction policy.
  #ExpireKeys = false
  
  # Set this to true if you are running a Redis cluster. Only use this if you really need a 
  # Redis cluster. In most cases you will get much better performance without a cluster.
  #ClusterMode = false

# Server accepting connections from the SDK. This must be specified unless the TSM node is 
# running as a local node.
[SDKServer]
  
  # Port number that this server listens on.
  Port = 8080
  
  # Points to a file containing PEM encoded certificates of root CAs for the server 
  # certificate. Currently, this is only used when the server is configured to do OCSP 
  # stapling.
  #CAFile = ""
  
  # Contains a comma separated list of base64 encoded certificates of root CAs for the server 
	# certificate. Currently, this is only used when the server is configured to do OCSP 
  # stapling.
  #CAList = ""
  
  # Points to a file containing a PEM encoded certificate (and any intermediates) which will be 
  # used for this connection. Setting this enables the use of HTTPS instead of HTTP.
  #CertificateFile = ""

	# This contains the base64 certificate inline instead of giving it in a file in the previous 
  # entry.
  #CertificateBytes = ""
  
  # The private key corresponding to the certificate above.
  #CertificateKeyFile = ""
  
  # This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the 
  # previous entry.
  #CertificateKeyBytes = ""
  
  # Performs OCSP stapling by attaching an OCSP response to the server certificate.
  #OCSPStaple = false
  
  # Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the 
  # OCSP response is used, otherwise the value of CacheTTL is used if it comes before 
  # ValidUntil.
  #OCSPCacheTTL = "10m"
  
  # Use this URL for all OCSP responders, regardless of what the certificate says.
  #OCSPResponderURL = ""
  
  # Use this hash algorithm for OCSP requests, usually SHA-1 or SHA-256. If empty then SHA-256 
  # is used.
  #OCSPHashAlgorithm = ""
  
  #[SDKServer.HTTPResponseHeaders]
  #  Access-Control-Allow-Origin = "*"
  #  Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
  #  Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"

# This setting enables multiple instances of the same player to be placed behind a load 
# balancer. Each instance will either handle sessions itself or route the traffic to other 
# instances.
#[MultiInstance]
  
  # IP address where this instance can be reached from other the instances. If not specified an 
  # auto-detected address is used and this might not be the address you want if there are 
  # multiple IP addresses associated with the system.
  #Address = ""
  
  # SDK port announced to the other nodes. If not specified it defaults to the SDK port from 
  # the [SDKServer] section.
  #SDKPort = 0
  
  # MPC port announced to the other nodes. If not specified it defaults to the SDK port from 
  # the [MPCTCPServer] section.
  #MPCPort = 0
  
  # How often should we run a cleanup job that purges old routing entries from the database.
  #CleanupInterval = "5m"
  
  # Every CleanupInteval the cleanup job will run with this probability. 0 means never and 100 
  # means always.
  #CleanupProbability = 25

# This section is used for initializing the server with values specified in the configuration 
# instead of other sources.
#[Initializers]
  
  # This adds the option to set the wrapping key used for exporting key shares. It will only
  # work if the wrapping key has not already been set or generated. This must be an RSA key in 
  # a DER encoded PKCS#1 structure.
  #WrappingPrivateKey = "BA3E64=="
  
  # The following two entries can be used to bootstrap the node to a specific Administrator 
  # name and password. If used, both entries must be set in which case the administrator will 
  # be created with the specified password. This will only work if an administrator have not 
  # already been created.
  #AdministratorUsername = ""
  #AdministratorPassword = ""

# Server used to access various internal performance counters, both Golang and MPC related. 
# Default format is Golang's build-in expvar. Can be configured to be Prometheus
#[MetricsServer]
  
  #Port = 10000
  
  #Prometheus = false

  # For use in a browser (e.g. WASM), the following values should be set
  #[MetricsServer.HTTPResponseHeaders]
  #  Access-Control-Allow-Origin = "*"
  #  Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
  #  Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"

# Server used for serving runtime profiling data in the format expected by the pprof 
# visualization tool. This requires that the TSM node is compiled with profiling enabled. Only 
# used for internal debugging.
#[ProfilingServer]
  #Port = 11000

# Configures system logging for the TSM node. The top level values specifies a default logger. 
# For more advanced logging configuration, specify one or more of the [Log.X] configurations 
# below. If any of these configurations are specified, they will override the top level 
# configuration.
#[Log]
  
  # Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to 
  # INFO.
  #Level = "INFO"
  
  # Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
  #Format = "TEXT"
  
  # If specified, logs will be written to this file. If empty, logs will be written to standard 
  # out.
  #FilePath = ""
  
  # Set to true to log the filename and line number where the logging operation occurred.
  #ReportCaller = true

  # This logger logs to standard out.
  #[Log.StdoutLogger]
    # Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default 
    # to INFO.
    #Level = "INFO"
    
    # Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
    #Format = "TEXT"
    
    # Set to true to log the filename and line number where the logging operation occurred.
    #ReportCaller = true

  # These logger log to files. It is possible to specify more than one file logger to log to 
  # different files.
 	#[[Log.FileLoggers]]
    
    # Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default 
    # to INFO.
    #Level = "INFO"
    
    # Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
    #Format = "TEXT"
    
    # Log to this file. If it does not exist, it will be created.
    #FilePath = ""
    # Set to true to log the filename and line number where the logging operation occurred.
    #ReportCaller = true

	  # This logger logs to syslog.
   	#[Log.SyslogLogger]
   
   	# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default 
    # to INFO.
	  #Level = "INFO"
		
    # Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
   	#Format = "TEXT"
   
    # Set to true to log the filename and line number where the logging operation occurred.
    #ReportCaller = true

    # This logger logs to AWS CloudWatch.
    #[Log.CloudWatchLogger]
    
    # Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default 
    # to INFO.
    #Level = "INFO"
    
    # Specify the AWS region here. This field is required.
    #Region = ""
    
    # Specify the AWS log group name. This field is required.
    #LogGroupName = ""
    
    # Specify the AWS log stream name. This field is required.
    #LogStreamName = ""
    
    # Set to true to log the filename and line number where the logging operation occurred.
    #ReportCaller = true

  # This logger will discard all logs. Set this as the only logger to disable logging 
  # completely. Adding this in addition to other loggers has no effect.
  #[Log.DiscardLogger]

# If this section is present then certain operations on the TSM node are stored in an audit 
# log. The audit log is periodically signed and uploaded to an audit receiver.
#[Audit]

  # URL of the audit receiver. Audit logs are sent to this URL using HTTP POST requests.
  # Can be a file, HTTP location or s3 location: file://, https://, s3://
  #ReceiverURL = ""

	# Public key of the audit receiver. This corresponds to the public key in the TLS 
  # certificate.
  #ReceiverPublicKey = "BA3E64=="

  # Private key used to establish a connection to the audit receiver using mTLS.
  #ClientPrivateKey = "BA3E64=="
  
  # Log entries are signed before they are uploaded to the audit receiver. This is the 32 byte 
  # seed used to generate an Ed25519 signing key per RFC-8032.
  #LogEntrySigningKeySeed = "BA3E64=="

	# Maximum number of audit log entries that are sent in one request.
  #MaxBatchSize = 50

	# Minimum time to wait before checking for new audit log entries to upload.
  #MinWaitTime = "15s"
  
  # Maximum time to wait before checking for new audit log entries to upload.
  #MaxWaitTime = "2m"

# When using an S3-compatible API as the ReceiverURL in [Audit], specify any
# non-standard S3 related parameters here
#[Audit.S3EndpointConfig]
  
  # If not using the default S3 endpoint, specify the custom one here
	#EndpointURL = ""
  
  # AWS or S3-compatible API region
	#Region = ""
  
  # Authorization keys for the S3-compatible API
	#SecretAccessKey = ""
	#AccessKeyId = ""
	#SessionToken = ""

# The configurations below are for the individual MPC protocols supported by the TSM. Comment a 
# protocol to disable it. In the following n denotes the total number of players and t is the 
# security threshold.

# Computes ECDSA signatures. This protocol requires n >= 2t+1. Cannot be enabled together with 
# DKLS19, or DKLS23.
#[SEPH18S]
  
  # Shortest allowed BIP-32 chain path.
  #MinChainPathLength = 0
  
  # Cache size for intermediate public keys when using BIP-32 chain paths.
  #Bip32CacheSize = 1024
  
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 1000
  
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 50000

# Controls which features of SEPH18S to enable. Each field corresponds to a method in the SDK.
#[SEPH18S.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #BIP32GenerateSeed = false
  #BIP32DeriveFromSeed = false
  #BIP32DeriveFromKey = false
  #BIP32ConvertKey = false
  #BIP32ExportSeed = false
  #BIP32ImportSeed = false
  #BIP32Info = false

# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together with 
# SEPH18S, or DKLS23.
#[DKLS19]
  
  # Shortest allowed BIP-32 chain path.
  #MinChainPathLength = 0
  
  # Cache size for intermediate public keys when using BIP-32 chain paths.
  #Bip32CacheSize = 1024
  
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 100
  
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 5000

# Controls which features of DKLS19 to enable. Each field corresponds to a method in the SDK.
#[DKLS19.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #BIP32GenerateSeed = false
  #BIP32DeriveFromSeed = false
  #BIP32DeriveFromKey = false
  #BIP32ConvertKey = false
  #BIP32ExportSeed = false
  #BIP32ImportSeed = false
  #BIP32Info = false

# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together 
# with SEPH18S, or DKLS19.
#[DKLS23]

	# Shortest allowed BIP-32 chain path.
  #MinChainPathLength = 0
  
  # Cache size for intermediate public keys when using BIP-32 chain paths.
  #Bip32CacheSize = 1024
  
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 100
  
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 5000
  
  # Whether to allow running the protocol with optimization, possible values are: inMemory, 
  # database.
  # More information: https://builder-vault-tsm.docs.blockdaemon.com/docs/mpc-protocols#dkls23
  # DeactivatedPlayersCache = "inMemory"

  # Controls which features of DKLS23 to enable. Each field corresponds to a method in the SDK.
  #[DKLS23.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #BIP32GenerateSeed = false
  #BIP32DeriveFromSeed = false
  #BIP32DeriveFromKey = false
  #BIP32ConvertKey = false
  #BIP32ExportSeed = false
  #BIP32ImportSeed = false
  #BIP32Info = false


# Computes Ed25519 and Ed448 signatures. This protocol only requires t < n.
#[SEPD19S]
  
  # Shortest allowed chain path. A chain path is used to derive many keys from a single master 
  # key.
  #MinChainPathLength = 0
  
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 1000
  
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 100000

# Controls which features of SEPD19S to enable. Each field corresponds to a method in the SDK.
#[SEPD19S.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false

# Computes RSA signing and decryption.
#[ADN06]

# Controls which features of ADN06 to enable. Each field corresponds to a method in the SDK.
#[ADN06.Features]
  #PublicKey = false
  #SignPKCS1v15 = false
  #SignPSS = false
  #Decrypt = false
  #ExportKeyShares = false
  #ImportKeyShares = false

# Computes the ECDH function. This protocol only requires t < n.
#[SEPD20ECDH]

# Controls which features of SEPD20ECDH to enable. Each field corresponds to a method in the 
# SDK.
#[SEPD20ECDH.Features]
  #GenerateKey = false
  #ComputeSecret = false
  #PublicKey = false

# Sends a message to all players.
#[BROADCAST]
  # Maximum size in bytes for a broadcast message.
  #MaxMessageLength = 65536

# Controls which features of BROADCAST to enable. Each field corresponds to a method in the 
# SDK.
#[BROADCAST.Features]
  #SimpleBroadcast = false
  #AdvancedBroadcast = false

# The following protocols are general MPC protocols used for AES, HMAC, AN10992 and RFC5649.
# At most one of them can be enabled at the same time. When in doubt use MRZ15.

# General MPC protocol for n = 3 and t = 1. Based on https://eprint.iacr.org/2015/931
#[MRZ15]

# Controls which AES features are enabled for MRZ15. Each field corresponds to a method in the # SDK.
#[MRZ15.AESFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #CTRKeyStream = false
  #CBCEncrypt = false
  #CBCDecrypt = false
  #GCMEncrypt = false
  #GCMDecrypt = false
  #CMAC = false

# Controls which HMAC features are enabled for MRZ15. Each field corresponds to a method in the 
# SDK.
#[MRZ15.HMACFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #HMACSHA256 = false
  #HMACSHA512 = false

# Controls which AN10922 features are enabled for MRZ15. Each field corresponds to a method in 
# the SDK.
#[MRZ15.AN10922Features]
  #ImportKeyShares = false
  #DeriveAESKey = false
  #Checksum = false

# Controls which RFC5649 features are enabled for MRZ15. Each field corresponds to a method in 
# the SDK.
#[MRZ15.RFC5649Features]
  #ImportKeyShares = false
  #AesWrapBlobWithPadding = false

# General MPC protocol two playeres. Based on https://eprint.iacr.org/2017/189
#[WRK17]
  #KeySize = 16
  #Rho = 40
  #BucketSize = 4

# Controls which AES features are enabled for WRK17. Each field corresponds to a method in the 
# SDK.
#[WRK17.AESFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #CTRKeyStream = false
  #CBCEncrypt = false
  #CBCDecrypt = false
  #GCMEncrypt = false
  #GCMDecrypt = false
  #CMAC = false

# Controls which HMAC features are enabled for WRK17. Each field corresponds to a method in the 
# SDK.
#[WRK17.HMACFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #HMACSHA256 = false
  #HMACSHA512 = false

# Controls which AN10922 features are enabled for WRK17. Each field corresponds to a method in 
# the SDK.
#[WRK17.AN10922Features]
  #ImportKeyShares = false
  #DeriveAESKey = false
  #Checksum = false