Example Configuration File
The following shows a sample MPC node configuration file. It contains explanations of each configuration, and may serve as a summary of many of the topics discussed earlier in the Builder Vault User Manual.
# This is an example TSM node configuration file.
#
# Commented sections mean that the feature is either disabled or used with default values.
# Commented variables are listed with their default values.
# Uncommented values are mandatory.
# Defines the operating mode of the TSM node.
#[Mode]
# An embedded node does not listen on any ports and is used when integrating the TSM node directly in an application.
# Usually an embedded node will not use a configuration file, so only set this to true if you know what you are doing.
#Embedded = false
# General configuration for MPC operations.
[MPC]
# When migrating from an older version of the TSM, this parameter specifies how many players were in that TSM. Now the
# number of players is set individually for each MPC operation. Once a TSM is migrated to the new format, this
# parameter is no longer needed.
#PlayerCount = 0
# This used to be the security threshold for the entire TSM, but now the threshold is set individually for each key.
# This parameter is only used when migrating from an older version of the TSM where it is necessary to properly convert
# key material to the new format. Once a TSM is migrated to the new format, this parameter is no longer needed.
#Threshold = 0
# Time to wait before all required connections between the MPC nodes have been established.
# When they have been established, the MPC session will begin, and the SessionTimeout will be used (see below).
#ConnectionTimeout = "10s"
# Time to wait before an MPC session times out.
#SessionTimeout = "3m"
# When another node sends us a message related to a session that is not yet started, that message (or connection) is
# stored as a pending session. We do this since not all sessions can be started at exactly the same time. This
# parameter allows us to control the number of pending sessions. Note that a malicious player can cause a denial-of-
# service attack by filling up this buffer. This can be mitigated to some extent by controlling the order in which
# sessions are started.
#MaxPendingSessions = 10000
# Configuration for the local player
[Player]
# A player index identifies all players in a TSM. This is the index of the player running this TSM node.
# We refer to this player as the local player. Other players are called remote players.
Index = 0
# This is a base64 encoding of the private key used to authenticate the local player towards the remote players. This
# must correspond to the public keys configured on the remote players for this player index. A private key can be
# generated using the following OpenSSL commands:
#
# openssl genpkey -algorithm ed25519 -outform DER -out private.key
# openssl base64 -A -in private.key; echo
#
# Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128, 192 or 256 bits).
PrivateKey = "BA3E64=="
# Each node has an RSA wrapping key used for importing data. Here you can specify the default size of this key.
#WrappingKeySize = 4096
# This is a list of base64 encodings of DER encoding of the ASN.1 SubjectPublicKeyInfo structure of RSA public keys.
# This is a whitelist of public keys that are allowed to be used with export. It is possible to use a single string
# of "*" to allow any public key to be used.
#ExportWhiteList = []
# The following is a list of players in the TSM with a static public key.
#
# If stream-based communication is used (e.g. MPCTCPServer), then all players except player 0 must be configured with a
# static public key. The logic is that lower-numbered players open connections to higher numbered players, so URLs
# are not needed for players with a lower number than the local player.
#
# If packet-based communication is used (e.g. everything except MPCTCPServer), then any player can be configured here
# with a static key and address. Other players can participate in an MPC protocol, but their public key and address must
# be provided when the MPC operation is started.
[Players.1]
# This is a base64 encoding of the player public key. A public key can be generated from the private key using the
# following OpenSSL commands:
#
# openssl pkey -in private.key -pubout -outform DER -out public.key
# openssl base64 -A -in public.key; echo
PublicKey = "BA3E64=="
# The Address field defines how the node should communicate with player 1.
# You can specify one of the following schemes:
#
# tcp, tcps, ws, wss - Direct connections over TCP or WebSocket, with or without TLS.
#
# incoming - Indicates that the player should listen for an incoming connection rather than initiating one.
# Example: incoming://
#
# broker - Indicates that communication with player 1 should happen through the configured message broker.
# Example: broker://
#
# If the Address is left empty, the node will automatically choose either incoming or broker, depending on which MPC servers are enabled.
#
# If the node cannot uniquely determine the correct scheme from the configuration, it will fail on startup and return an error.
#
# It is possible to specify additional options for the connection:
#
# connectionPoolSize: Number of tcp connections to keep alive to this player if multiplexing is used. Default is 2.
# connectionLifetime: Maximum lifetime of a tcp connection to this player. Default is 1 hour.
# disableMultiplexing: (MPCDirectServer only): This parameter controls if we should disable multiplexing with this player.
# Normally you want to use multiplexing to reduce the overhead of establishing connections, but
# if you rarely make connections to this player, there is no need to keep a long-lived TCP
# connection alive. If the player is behind a load balancer, you should also disable multiplexing.
# symmetricConnection: (MPCDirectServer only): If this parameter is true, it means that the other player also has this
# node's address configured. To prevent both players connecting to each other at the same time, they
# use the session ID to determine who will establish the connection.
Address = "tcp://player1:9000?connectionPoolSize=2&connectionLifetime=1h&disableMultiplexing=false&symmetricConnection=false"
#[Players.2]
#Address = "..."
#PublicKey = "..."
# User authentication settings.
#[Authentication]
# Lifetime of the tokens for password-based user authentication
#TokenLifetime = "5m"
# If enabled it is possible to dynamically add and remove API keys using the management server. When dynamic API keys
# are used, you cannot specify any API keys below.
#DynamicAPIKeys = false
# When dynamic API keys are enabled, they must be stored in the database to be accessible by all nodes. This parameter
# controls how often a node will look in the database for changes made by the other nodes. If you only run a single
# node, you can disable this completely by setting this value to 0.
#DynamicAPIKeysCacheTTL = "30s"
# List of API keys used for authentication
#[[Authentication.APIKeys]]
# Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command:
#
# echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64
#
# Crypt hashes with the following algoritms are also supported: MD5, SHA256, SHA512, bcrypt, Argon2i, Argon2id
#APIKey = ""
# Users with the given API key will be mapped to this user in the system. If the user does not exist, it will be
# created automatically. Set this to an existing user ID to migrate from password to API key authentication.
#ApplicationID = ""
# Setting related to authentication of users based on TLS client certificates.
#[TLSUserAuthentication]
# Points to a file containing PEM encoded certificates of CAs from which client certificates are accepted.
#ClientCAFile = ""
# Contains a comma separated list of base64 encoded certificates of CAs from which client certificates are accepted.
#ClientCAList = ""
# Enable OCSP validation of client certificates.
#OCSP = false
# Require the client to send a stapled OCSP response, otherwise validation will fail.
#OCSPRequireStapling = false
# If true, then only the leaf certificate is validated. Otherwise, the entire chain is validated.
#OCSPValidateLeafOnly = false
# Lifetime of cached OCSP responses, e.g. "1h30m". A value of 0 means that ValidUntil from the OCSP response
# is used, otherwise the value of CacheTTL is used if it comes before ValidUntil.
#OCSPCacheTTL = "10m"
# Use this URL for all OCSP responders, regardless of what the certificate says.
#OCSPResponderURL = ""
# Use this hash algorithm for OCSP requests, usually SHA-1 or SHA-256. If empty, then SHA-256 is used.
#OCSPHashAlgorithm = ""
# If no applications are specified, all certificates will be granted access and given an ID deduced from the
# Subject and Issuer of the certificate.
# Access to applications is given based on values set in the certificates matching the values set in the filters below.
# To get a list of OIDs, here is an example:
# openssl list -objects | grep -i ", 2.5.4"
# The following text strings can also be used as keys:
# "commonName", "country", "locality", "stateOrProvince", "streetAddress", "organisation", "organizationalUnit",
# "postalCode", "serialNumber", "givenName", and "surname"
# For values expecting an array of strings, use "v1, v2"
# You can use SerialNumber directly (certificate root field, hexadecimal value)
#[[TLSUserAuthentication.Applications]]
#ID = "MyApplicationID"
#[[TLSUserAuthentication.Applications.Filters]]
#"Issuer/2.5.4.3" = "value 00" # commonName in Issuer
#"Subject/2.5.4.6" = "value 01, value 02" # country in Subject
#"Subject/2.5.4.11" = "value 03" # organizationalUnit in Subject
#[[TLSUserAuthentication.Applications.Filters]]
#"Issuer/Organization" = "value 10" # organisational in Issuer
#"Serialnumber" = "value 13" # The certificate serial number
# Setting related to authentication of users based on OIDC.
#[OIDCUserAuthentication]
# Lifetime of the OIDC nonce.
#NonceLifetime = "5m"
# List of supported OIDC issuer URLs.
#OIDCIssuers = []
# List of supported Audiences (client ids)
# Audiences = []
# Setting related to authentication of users based on OIDC Access Tokens.
#[OIDCAccessTokenAuthentication]
# List of supported OIDC issuer URLs.
#OIDCIssuers = []
# Configuration for applications that are allowed to access the TSM
#[[OIDCAccessTokenAuthentication.AccessTokens]]
# The ID of the application to authenticate, or a reference to a claim which value should be used as application ID.
# Application IDs must match the regex ^[a-zA-Z0-9_-]+$. This will map to a certain set of keyIDs.
# ApplicationID = "application ID" | "$CLAIM:claim"
# Must match audience (aud) in access token
# Audience = "audience value"
# EITHER
# The URL of the discovery document for this access token, used to retrieve the public key. Defaults to issuer + "/.well-known/openid-configuration".
# DiscoveryDocURL = issuer + "/.well-known/openid-configuration"
# OR
# if PublicKey is specified, DiscoveryDocURL is ignored
# This is a base64 encoding of the public key for the identity provider. A public key
# can be generated from the private key using the following OpenSSL commands:
#
# openssl ec -inform DER -in private.key -pubout -outform DER -out public.key
# openssl base64 -A -in public.key; echo
# PublicKey = "BA3E64=="
# The claims which the access token needs to match. If no claims are required, you still need to add an empty section.
#[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
# claim0 = "claim value 0"
#[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
# claim1 = "claim value 1"
# claim2 = "claim value 2"
# Database connection configuration.
[Database]
# The driver used for the database. The following database drivers are supported: sqlite3, mysql and postgres.
DriverName = "sqlite3"
# The name of the datasource. This example shows a SQLite file backed database. For MySQL an example of a datasource
# name could be:
#
# USER:PASSWORD@HOST:3306/DATABASE_NAME?parseTime=true
#
# and for postgres:
#
# postgres://USER:PASSWORD@HOST:5432/DATABASE_NAME?sslmode=disable
DataSourceName = "/tmp/tsmdb"
# This specifies a master encryption key used to protect database records. Note that this key is not directly
# used to encrypt data. Use any long random string here and make sure to keep a backup of it somewhere safe.
EncryptorMasterPassword = "ENCRYPTION_KEY"
# An alternative to specifying a password for encryption is to use a key file. Here the content of the key file
# is hashed and used as the master password. This is useful if one does not want to store the master password
# in the configuration file. After the TSM node has started up this file is no longer needed until the next startup.
#EncryptorKeyFile = ""
# Allows specifying a plugin that is loaded and used before the internal TSM encryptions is performed.
# Any handling of the data is done in addition to the normal encryption. The plugin path can be absolute, or
# local. If local, it will need to be located in the path of LD_LIBRARY_PATH. The plugin must implement the
# plugin functions defined in the plugin-interface.h header file.
# The plugin ensures that keyshares are handled securely, as failure to do so may compromise the security
# of the installation.
#ExternalEncryptorPlugin = ""
# The maximum number of idle connections in the database connection pool.
#MaxIdleConns = 500
# The maximum number of open connections in the database connection pool.
#MaxOpenConns = 500
# The maximum time a database connection can be open before it is closed. A value of 0 disables the closing of connections.
#ConnMaxLifetime = "3m"
# The maximum time a database connection can be idle before it is closed. A value of 0 disables the closing of idle connections.
#ConnMaxIdleTime = 0
# Controls how long key shares should be cached in memory. Setting this too high can cause issues when running in a
# load-balanced setup together with operations that modify key shares, such as reshare.
#KeyShareCacheTTL = "1s"
# MPC server handling direct connections between players.
#[MPCDirectServer]
# TCP port that this server listens on. A value of 0 means that the node will not accept incoming TCP connections but
# can still make outgoing connections.
#Port = 9000
# WebSocket port that this server listens on. A value of 0 means that the node will not accept incoming WebSocket
# connections but can still make outgoing connections.
#WSPort = 9080
# Settings this to true disables multiplexing. Multiplexing is normally controlled per player, but here you can specify
# that the server should reject multiplexed connections. If you enable MultiInstance, then multiplexing is automatically
# disabled. See the [Players] section for more information
#DisableMultiplexing = false
# Points to a file containing a PEM encoded certificate (and any intermediates) which will be used for incoming connections.
# Setting this enables the use of WSS instead of WS, and TCPS instead of TCP. Note that this is not strictly needed,
# since the underlying MPC protocol has its own encryption and authentication layer.
#CertificateFile = ""
# This contains the base64 certificate inline instead of giving it in a file in the previous entry.
#CertificateBytes = ""
# The private key corresponding to the certificate above.
#CertificateKeyFile = ""
# This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the previous entry.
#CertificateKeyBytes = ""
# MPC server creating multiplexed TCP connections from other players. This is a legacy protocol, so consider using
# MPCDirectServer instead.
#[MPCTCPServer]
# Port number that this server listens on. A value of 0 means that the node will not accept incoming connections.
#Port = 9000
# Settings this to true disables multiplexing.
#DisableMultiplexing = false
# MPC server using an AMQP message broker to communicate with other players. Cannot be used with other MPC servers.
#[MPCAMQPServer]
# URL for the AMQP message broker
# For a local test instance with the default vhost and guest user the following URL can be used:
#
# amqp://guest:guest@localhost:5672/
#ServerURL = ""
# When connection to the broker drops or sending of a message fails, how long should we wait before retrying
#RetryDelay = "5s"
# Specify how many channels should be used when sending messages to the broker. You might want to increase this value
# if you enable PublisherConfirms below.
#ChannelPoolSize = 2
# Use the RabbitMQ specific publisher confirms feature. This configures the RabbitMQ server to confirm each message
# before that message is considered delivered by the client. This makes the communication with the broker more
# resillient when the broker restarts or the network connection fails during a session, but it also has a performance
# impact.
#PublisherConfirms = false
# Instruct the message broker to persist messages. If using durable queues, this ensures that messages will survice
# a restart of the broker.
#PersistMessages = false
# If DynamicQueues is true then a new queue is created on the broker for each session, instead of using a fixed queue
# for each player. Dynamic queues are less reliable in case of network failures but allow for multiple nodes behind
# a load balancer. The parameters PublisherConfirms, PersistMessages and SkipSetup have no effect on dynamic queues.
# All players must use the same type of queues.
#DynamicQueues = false
# If SkipSetup is false the client will automatically create exchange and queues on the broker. However, if you need
# more control over who can send and receive messages set this to true and configure the broker like this:
#
# First you need to know how to get the player ID of a player. The player ID is computed by first using SHA-256 to
# hash the public key and then base64 URL encode (without padding) the output of the hash function.
#
# 1. Create a direct exchange with the name tsm.direct
# 2. Create a queue for each player with the name tsm.playerID and an x-message-ttl of session timeout + connection timeout
# 3. Bind the queues above to the exchange with the queue name as the binding key
# 4. Grant all users write access to the exchange
# 5. Grant all users read access to their own queue
#SkipSetup = false
# MPC server using Redis to communicate with other players. Cannot be used with other MPC servers.
#
# It's recommended that you restrict what users can do on the Redis server. To create a user 'player0' with
# password 'pw0' for use by a TSM node, you need the following ACL:
#
# ACL SETUSER player0 on >pw0 ~tsm:* +ping +blmpop +rpush +expire
#
# If you have ExpireKeys set to true, you also need to add +expire to the list above.
#[MPCRedisServer]
# URL for the Redis server
# For a local instance with no access control the following URL can be used:
#
# redis://localhost:6379/0
#ServerURL = ""
# Redis pipelining is used when sending messages. This is the maximum number of messages that goes into one pipeline
# before being sent to the Redis server.
#SendBatchSize = 20
# When calling BLMPOP to retrive messages from Redis, this is the maximum number of lists to query in one call.
#ReceiveBatchSize = 20
# This controls how many Redis connections are used for fetching messages from the server.
#MaxMessageReceivers = 30
# Number of sessions that can be running at the same time on this TSM node. If you don't need that many sessions,
# you can lower this number and save a little memory.
#MaxSessions = 10000
# Choose whether keys will automatically expire or not. Under normal operation keys will be deleted once the MPC
# session finishes, but in case of MPC session failure some data might remain.
# Automatically expiring keys are disabled by default since it's normally handled by the servers eviction policy.
#ExpireKeys = false
# Set this to true if you are running a Redis cluster. Only use this if you really need a Redis cluster. In most cases
# you will get much better performance without a cluster.
#ClusterMode = false
# Server accepting connections from the SDK. This must be specified unless the TSM node is running as a local node.
[SDKServer]
# Port number that this server listens on.
Port = 8080
# Points to a file containing PEM encoded certificates of root CAs for the server certificate. Currently, this is only
# used when the server is configured to do OCSP stapling.
#CAFile = ""
# Contains a comma separated list of base64 encoded certificates of root CAs for the server certificate. Currently,
# this is only used when the server is configured to do OCSP stapling.
#CAList = ""
# Points to a file containing a PEM encoded certificate (and any intermediates) which will be used for this
# connection. Setting this enables the use of HTTPS instead of HTTP.
#CertificateFile = ""
# This contains the base64 certificate inline instead of giving it in a file in the previous entry.
#CertificateBytes = ""
# The private key corresponding to the certificate above.
#CertificateKeyFile = ""
# This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the previous entry.
#CertificateKeyBytes = ""
# Performs OCSP stapling by attaching an OCSP response to the server certificate.
#OCSPStaple = false
# Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the OCSP response
# is used, otherwise the value of CacheTTL is used if it comes before ValidUntil.
#OCSPCacheTTL = "10m"
# Use this URL for all OCSP responders, regardless of what the certificate says.
#OCSPResponderURL = ""
# Use this hash algorithm for OCSP requests, usually SHA-1 or SHA-256. If empty then SHA-256 is used.
#OCSPHashAlgorithm = ""
#[SDKServer.HTTPResponseHeaders]
# Access-Control-Allow-Origin = "*"
# Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
# Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"
# Server with endpoints for managing the node
#[ManagementServer]
# Port number that this server listens on.
#Port = 14401
# Points to a file containing a PEM encoded certificate (and any intermediates) which will be used for this
# connection. Setting this enables the use of HTTPS instead of HTTP.
#CertificateFile = ""
# This contains the base64 certificate inline instead of giving it in a file in the previous entry.
#CertificateBytes = ""
# The private key corresponding to the certificate above.
#CertificateKeyFile = ""
# This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the previous entry.
#CertificateKeyBytes = ""
#[ManagementServer.HTTPResponseHeaders]
# For use in a browser (e.g. WASM), the following can be set
#Access-Control-Allow-Origin = "*"
#Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
#Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"
# Metrics is used to access various internal performance counters, both Golang and MPC-related. The default format is Golang's built-in
# expvar, but it can be configured to be Prometheus. The endpoint will be available at 'management/metrics'. This section is
# optional, metrics will only be available if it has been set here.
#[ManagementServer.Metrics]
# Optional. Specify whether to use prometheus format, default is false
#Prometheus = false
# List af API Keys, which can have different permissions
#[[ManagementServer.APIKeys]]
# Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command:
#
# echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64
#
# Crypt hashes with the following algoritms are also supported: MD5, SHA256, SHA512, bcrypt, Argon2i, Argon2id
#
# Setting the API key to the empty string means that the specified permissions are granted to unauthenticated users.
#APIKey = ""
# Array of permissions this API Key has, valid values:
# TSMINFO, HEALTH, METRICS, APIKEY
#Permissions=["HEALTH", "TSMINFO"]
# This setting enables multiple instances of the same player to be placed behind a load balancer. Each instance will
# either handle sessions itself or route the traffic to other instances.
#[MultiInstance]
# IP address where this instance can be reached from other instances. If not specified, an auto-detected address is
# used, and this might not be the address you want if there are multiple IP addresses associated with the system.
#Address = ""
# SDK port announced to the other nodes. If not specified, it defaults to the SDK port from the [SDKServer] section.
#SDKPort = 0
# MPC port announced to the other nodes. If not specified, it defaults to the SDK port from the [MPCTCPServer] section.
#MPCPort = 0
# How often should we run a clean-up job that purges old routing entries from the database.
#CleanupInterval = "5m"
# Every CleanupInteval the clean-up job will run with this probability. 0 means never and 100 means always.
#CleanupProbability = 25
# Enclave support. Enabling this will offload the MPC operations to a module running inside a secure enclave. This
# means that the TSM will never see key material in clear text, and the key material is therefore protected even against
# an attacker with full access to the TSM node. Since the enclave module doesn't have any storage, it is still possible
# to extract key material e.g. by reusing a presignature. If this is an issue, then one should configure the enclave
# module to disallow presignature generation. Care should also be taken when enabling the export and ERS operations.
#[Enclave]
# Address of the enclave on the form scheme://host:port. The scheme can be either tcp or vsock. For
# vsock the host is the context ID.
#Address = ""
# This section is used for initializing the server with values specified in the configuration instead of other sources.
#[Initializers]
# This adds the option to set the wrapping key used for exporting key shares. It will only work if the wrapping key has not already been set
# or generated. This must be an RSA key in a DER encoded PKCS#1 structure.
#WrappingPrivateKey = "BA3E64=="
# Here you can override how the system gets the randomness used in MPC protocols. If this section is not specified, then
# the default system PRNG is used. It is recommended to leave this section out unless you know you really need it.
#[Randomness]
# Path to the device used to read randomness from, e.g. /dev/urandom
#Device = ""
# Configures system logging for the TSM node. The top level values specify a default logger. For more advanced
# logging configuration, specify one or more of the [Log.X] configurations below. If any of these configurations are
# specified, they will override the top-level configuration.
#[Log]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# If specified, logs will be written to this file. If empty, logs will be written to standard out.
#FilePath = ""
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# When logging the IP address of a client, the IP address will normally be the remote address of connection. If you
# specify an HTTP header here, such as X-Forwarded-For, the IP address will be read from that instead.
#IPAddressHeader = ""
# This logger logs to standard out.
#[Log.StdoutLogger]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# These logger log to files. It is possible to specify more than one file logger to log to different files.
#[[Log.FileLoggers]]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# Log to this file. If it does not exist, it will be created.
#FilePath = ""
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger logs to syslog.
#[Log.SyslogLogger]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to INFO.
#Level = "INFO"
# Log format. Possible values are TEXT and JSON. If not specified it default to TEXT.
#Format = "TEXT"
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger logs to AWS CloudWatch.
#[Log.CloudWatchLogger]
# Log level. Possible values are INFO, WARN, ERROR and DEBUG. If not specified it default to INFO.
#Level = "INFO"
# Specify the AWS region here. This field is required.
#Region = ""
# Specify the AWS log group name. This field is required.
#LogGroupName = ""
# Specify the AWS log stream name. This field is required.
#LogStreamName = ""
# Set to true to log the filename and line number where the logging operation occurred.
#ReportCaller = true
# This logger will discard all logs. Set this as the only logger to disable logging completely. Adding this in addition
# to other loggers has no effect.
#[Log.DiscardLogger]
# If this section is present then certain operations on the TSM node are stored in an audit log. The
# audit log is periodically signed and uploaded to an audit receiver.
#[Audit]
# URL of the audit receiver. Audit logs are sent to this URL using HTTP POST requests.
# Can be a file, HTTP location or s3 location: file://, https://, s3://
#ReceiverURL = ""
# Public key of the audit receiver. This corresponds to the public key in the TLS certificate.
#ReceiverPublicKey = "BA3E64=="
# Private key used to establish a connection to the audit receiver using mTLS.
#ClientPrivateKey = "BA3E64=="
# Log entries are signed before they are uploaded to the audit receiver. This is the 32 byte seed used to generate
# an Ed25519 signing key per RFC-8032.
#LogEntrySigningKeySeed = "BA3E64=="
# Maximum number of audit log entries that are sent in one request.
#MaxBatchSize = 50
# Minimum time to wait before checking for new audit log entries to upload.
#MinWaitTime = "15s"
# Maximum time to wait before checking for new audit log entries to upload.
#MaxWaitTime = "2m"
# When using an S3-compatible API as the ReceiverURL in [Audit], specify any
# non-standard S3 related parameters here
#[Audit.S3EndpointConfig]
# If not using the default S3 endpoint, specify the custom one here
#EndpointURL = ""
# AWS or S3-compatible API region
#Region = ""
# Authorization keys for the S3-compatible API
#SecretAccessKey = ""
#AccessKeyId = ""
#SessionToken = ""
# The configurations below are for the individual MPC protocols supported by the TSM. Comment a protocol to
# disable it. In the following n denotes the total number of players and t is the security threshold.
# Computes ECDSA signatures. This protocol requires n >= 2t+1. Cannot be enabled together with DKLS19, or DKLS23.
#[SEPH18S]
# Shortest allowed BIP-32 chain path.
#MinChainPathLength = 0
# Cache size for intermediate public keys when using BIP-32 chain paths.
#Bip32CacheSize = 1024
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 1000
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 50000
# Controls which features of SEPH18S to enable. Each field corresponds to a method in the SDK.
#[SEPH18S.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
#BIP32GenerateSeed = false
#BIP32DeriveFromSeed = false
#BIP32DeriveFromKey = false
#BIP32ConvertKey = false
#BIP32ExportSeed = false
#BIP32ImportSeed = false
#BIP32Info = false
# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together with SEPH18S, or DKLS23.
#[DKLS19]
# Shortest allowed BIP-32 chain path.
#MinChainPathLength = 0
# Cache size for intermediate public keys when using BIP-32 chain paths.
#Bip32CacheSize = 1024
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 100
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 5000
# Controls which features of DKLS19 to enable. Each field corresponds to a method in the SDK.
#[DKLS19.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
#BIP32GenerateSeed = false
#BIP32DeriveFromSeed = false
#BIP32DeriveFromKey = false
#BIP32ConvertKey = false
#BIP32ExportSeed = false
#BIP32ImportSeed = false
#BIP32Info = false
# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together with SEPH18S, or DKLS19.
#[DKLS23]
# Shortest allowed chain path.
#MinChainPathLength = 0
# Cache size for intermediate public keys when using BIP-32 chain paths.
#Bip32CacheSize = 1024
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 100
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 5000
# Whether to allow running the protocol with optimization, possible values are: none, memory, database.
# More information: https://builder-vault-tsm.docs.blockdaemon.com/docs/mpc-protocols#dkls23
#DeactivatedPlayersCache = "memory"
# Controls which features of DKLS23 to enable. Each field corresponds to a method in the SDK.
#[DKLS23.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
#BIP32GenerateSeed = false
#BIP32DeriveFromSeed = false
#BIP32DeriveFromKey = false
#BIP32ConvertKey = false
#BIP32ExportSeed = false
#BIP32ImportSeed = false
#BIP32Info = false
# Computes Schnorr signatures for the supported curves. This protocol only requires t < n.
#[SEPD19S]
# Shortest allowed chain path. A chain path is used to derive many keys from a single master key.
#MinChainPathLength = 0
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 1000
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 100000
# Controls which features of SEPD19S to enable. Each field corresponds to a method in the SDK.
#[SEPD19S.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
# Computes BLS signatures for BLS12-381
#[BLS]
# Controls which features of BLS to enable. Each field corresponds to a method in the SDK.
#[BLS.Features]
#GenerateKey = false
#Sign = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
# Computes RSA signing and decryption.
#[ADN06]
# Controls which features of ADN06 to enable. Each field corresponds to a method in the SDK.
#[ADN06.Features]
#PublicKey = false
#SignPKCS1v15 = false
#SignPSS = false
#Decrypt = false
#ExportKey = false
#ImportKey = false
# Computes the ECDH function. This protocol only requires t < n.
#[SEPD20ECDH]
# Controls which features of SEPD20ECDH to enable. Each field corresponds to a method in the SDK.
#[SEPD20ECDH.Features]
#GenerateKey = false
#ComputeSecret = false
#PublicKey = false
# Computes ECKCDSA signatures. This protocol only requires t < n.
#[ECKCDSA]
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 100
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 5000
# Whether to allow running the protocol with optimization, possible values are: none, memory, database.
# More information: https://builder-vault-tsm.docs.blockdaemon.com/docs/mpc-protocols#dkls23
#DeactivatedPlayersCache = "memory"
# Controls which features of ECKCDSA to enable. Each field corresponds to a method in the SDK.
#[ECKCDSA.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
# Computes Aleo signatures. This protocol only requires t < n.
#[ALEO]
# Shortest allowed chain path. A chain path is used to derive many keys from a single master key.
#MinChainPathLength = 0
# Maximum number of presignatures that can be generated in one request.
#PresigGenRequestLimit = 1000
# Maximum number of presignatures that can be generated concurrently for the entire TSM node.
#PresigGenGlobalLimit = 100000
# Controls which features of ALEO to enable. Each field corresponds to a method in the SDK.
#[ALEO.Features]
#GenerateKey = false
#GeneratePresignatures = false
#Sign = false
#SignWithPresignature = false
#GenerateRecoveryData = false
#PublicKey = false
#ChainCode = false
#Reshare = false
#CopyKey = false
#ExportKey = false
#ImportKey = false
#ExportKeyShare = false
#ImportKeyShare = false
#ExportViewKey = false
# Sends a message to all players.
#[BROADCAST]
# Maximum size in bytes for a broadcast message.
#MaxMessageLength = 65536
# Controls which features of BROADCAST to enable. Each field corresponds to a method in the SDK.
#[BROADCAST.Features]
#SimpleBroadcast = false
#AdvancedBroadcast = false
# General purpose MPC protocol for symmetric operations. Based on https://eprint.iacr.org/2015/931
# and http://eprint.iacr.org/2019/1104.
#[MRZ15]
# Controls which AES features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.AESFeatures]
#GenerateKey = false
#ExportKey = false
#ImportKey = false
#CTRKeyStream = false
#CBCEncrypt = false
#CBCDecrypt = false
#GCMEncrypt = false
#GCMDecrypt = false
#CMAC = false
# Controls which HMAC features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.HMACFeatures]
#GenerateKey = false
#ExportKey = false
#ImportKey = false
#HMACSHA256 = false
#HMACSHA512 = false
# Controls which AN10922 features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.AN10922Features]
#ImportKey = false
#DeriveAESKey = false
#Checksum = false
# Controls which RFC5649 features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.RFC5649Features]
#ImportKey = false
#AesWrapBlobWithPadding = false
Updated 4 days ago