AWS Marketplace

To install Blockdaemon Builder Vault from the AWS Marketplace, follow these steps to integrate this advanced key management system into your infrastructure, enhancing security with secure multi-party computation (MPC) for Web3 developers:

Prerequisites

Ensure that you have done the following:

  • Select a Security/Deployment Pattern: Using an n or n + 1 AWS accounts pattern is recommended, where n equals the number of nodes. This setup involves using separate Node Admin accounts for each KMS package, ensuring secure admin control over each node, and a singular Builder Vault account for deploying the node infrastructure. For more info, please refer here.

📘

Note:

While various configurations (e.g., a single Node Admin account for all KMS stacks or a single AWS account for all components) can achieve operational Builder Vault, such setups change inherent security considerations. The ideal configuration depends on the trust distribution among Builder Vault admins within your organization.

  • Define a Namespace for Builder Vault: Choose a Namespace that will be consistently used across all CloudFormation stacks for the Builder Vault deployment.

📘

Note:

This Namespace must be unique within the Builder Vault account, although multiple Builder Vaults with different Namespaces can be deployed.

  • Prepare Node Admins and Infrastructure Engineer Access: Ensure that node admins and the infrastructure engineer responsible for deploying the Builder Vault core and node marketplace stacks possess adequate AWS expertise. They should have admin privileges within their respective AWS accounts to deploy resources.
  • Follow AWS Root User Best Practices: Refrain from using the root user for installation activities. Follow the AWS best practices regarding root user management for AWS account security.
  • Establish a DNS Public Hosted Zone: Create a DNS Public Hosted Zone for the Builder Vault node records. This zone will host DNS records for each node in the format: https://node-0-<namespace>.<zone>. The deployment process will generate networking services within this zone.
    • Assign DNS Nameserver zone delegations from your company's authoritative zone to the new AWS name servers.
    • In the AWS account designated for the deployment, create an AWS Route53 public-hosted zone. Record the Hosted Zone Id and Host Zone Name for use during the Marketplace deployment.

📘

Note:

DNS name server zone delegations may require up to one business day for completion, depending on the authoritative zone settings.

Step-by-step Guide

Create AWS Accounts

First, create AWS accounts for each of the security and infrastructure administrators. To set up either a standalone or a member AWS account, please see here.

📘

Note:

  • Refrain from using the root user for installations. Adhere to AWS's recommended practices for root user management here.
  • Note down the AWS account IDs. These will be required for the CloudFormation template.

Register an AWS Public DNS Hosted Zone

The second step is registering an AWS public DNS Hosted Zone for the Builder Vault nodes. To set up an AWS public DNS Hosted Zone, please see here.

📘

Note:

Note down the AWS Hosted Zone name and ID. These will be required for the Builder Vault Node Infrastructure installation.

Deploy KMS Stack

The third step is to deploy the KMS Stack templates. KMS Stack templates are deployed independently from the Builder Vault Core template. Administrators must deploy a separate KMS Stack template for each Builder Vault TSM node, and these templates can be deployed to any AWS region. Follow the steps below to deploy the KMS Stack:

  1. KMS Stack administrator authenticates to their specific KMS Stack AWS Account.
  2. Stack 1 and Stack 2.
  3. Complete the following fields:
FieldDescription
Stack NameProvide the name for the Stack.
BuilderVaultAWSAccountDefine the Builder Vault Node Infrastructure AWS account ID.
NamespaceSpecify a unique namespace. This will allow multiple deployments within the same set of AWS accounts. Ensure the same namespace value is used across KMS Stack and Core Node installation.
NodeIndexSpecify the index of the installation. You need to match this KMS Stack install number. If this is the first installation, start with the value 1.
  1. Click the Create Stack button.
  2. Once the installation is completed, click the Outputs tab and note down the SSMParameter value. Write this ARN value down as it will be used in the Builder Vault Node Infrastructure installation.
  1. Click on the Resource tab > click the Retrieve Secret Value button to get the NodeIndex.

📘

Note:

The NodeIndex secret contains the Builder Vault API key that will be needed to access the node.

  1. Repeat the process for the second KMS Stack before installing the Builder Vault node infrastructure.

📘

Note:

Ensuring the NodeIndex for the second stack is set to 2.

Deploy Builder Vault Core Nodes

The fourth step is to deploy the Builder Vault Code Node stack template to create the necessary networking, storage and AMI resources to run the MPC environment.

  1. Infrastructure Administrator authenticates to the Builder Vault Node Infrastructure AWS Account.
  2. Create the Blockdaemon Builder Vault Core Node template.
  3. Complete the following fields:
FieldDescription
Hosted Zone IDSpecify with the Hosted Zone ID that you established earlier.
Hosted Zone NameSpecify with the Hosted Zone Name that you established earlier.
NamespaceSpecify with the Namespace value that you used in the KMS Stack installation.
SSMParameterSpecify with the value that you obtained from the Resource tab in the KMS Stack installation.
  1. Click Next.
  2. The installation will default create new VPC networks and subnets with the CIDR ranges specified below.

📘

Note:

If you wish to deploy the Builder Vault into existing VPC networks, simply populate the Bring your own VPC fields and the Create VPC for me values will be ignored.

  1. To restrict access to the Builder Vault Code Node SDK or P2P endpoints, specify the CIDR ranges that should be allow-listed.
  1. Once the installation is completed, click the Outputs tab > note down the Node0DNS and Node1DNS values. These endpoints will be used to configure the Builder Vault client SDK.

Deploy Additional Dynamic Builder Vault Nodes

The fifth step is to deploy additional dynamic Builder Vault nodes to extend the Builder Vault system past the two nodes setup.

  1. Repeat the KMS Stack deployment from step 1 by installing a new KMS Stack into a new AWS account.

📘

Note:

For each additional node, increment the NodeIndex appropriately. For example, if this is the third node the NodeIndex should be 2. Note down the SSMParameter ARN to be used in the next step.

  1. In your Builder Vault dynamic node AWS Account, create and deploy the Builder Vault Node stack template.

📘

Note:

Set the node index to the total number of dynamic nodes plus 2. For the first dynamic node beyond the two core nodes, set the index to 3.

  1. Once the installation is complete, click the Outputs tab > note down the Node*DNS value for use in the client SDK configuration.
  2. To apply topology updates across all nodes, reboot each by navigating to EC2-Instances > Reboot Instance.

Setup the Builder Vault Client SDK Connectivity

The sixth step is to Initialize the Builder Vault Client SDK with your generated API Keys and Node DNS in the SDK settings using the following code:

config := tsm.Configuration{URL: "https://<Node1DNS>"}
config = config.WithAPIKeyAuthentication("<Node API Key>")
node, err := tsm.NewClient(config)