This project represents an example implementation of an AWS Nitro Enclave based Consensys Web3Signer deployment which is commonly used as a remote signer instance for EIP-3030 compatible blockchain validator nodes. A single Web3Signer deployment can be used by several Ethereum validator nodes.
The project is implemented in AWS Cloud Development Kit (CDK) v2 and Python.
This repository contains all code artifacts for the following two blog posts. A walkthrough, explaining how to deploy
and configure the solution is enclosed in the docs
folder of this repository.
- AWS Nitro Enclaves for running Ethereum validators – Part 1
- AWS Nitro Enclaves for running Ethereum validators – Part 2
- AWS Nitro Web3Signer solution walkthrough
For an overview of how to design an AWS Nitro Enclave secured blockchain validation process, please have a look at Part 1.
For a deep dive into AWS Nitro Enclave based Web3Signer node setup and integration patterns, a deep dive of how to bootstrap https endpoints inside AWS Nitro Enclave environment or how to securely tunnel https traffic over a vsock socket, please refer to Part 2.
For a walkthrough on how to deploy, bootstrap, configure and start the AWS Nitro Enclave secured Web3Signer process, please refer to the walkthrough.
- Systemd watchdog services reads encrypted validator BLS and TLS keys.
- Watchdog service sends
init
request to Enclave with key configuration enclosed. - Enclave leverages AWS Nitro SDK (
kmstool-enclave-cli
) to decrypt encrypted keys. - Cryptographic attestation is being used by the
kmstool-enclave-cli
. - After decryption, keys are being stored in ephemeral storage of AWS Nitro Enclave.
- Web3Signer process is started inside enclave using decrypted keys, listening on
https
endpoint. - Validator sends
https
signing request tohttps_proxy
. - Request gets forwarded via
vsock
to Web3Signer running inside the enclave and gets processed.
For a more detailed explanation of the bootstrapping process please refer to the bootstrapping section of the walkthrough.
- An AWS account
- An AWS Identity and Access Management (IAM) user with administrator access
- Configured AWS credentials
- Docker, Node.js , Python 3.9, pip, and jq installed on the workstation that you plan to deploy the solution from.
Note that the solution is only compatible with Python 3.9.
-
virtual environments (venv) are recommended working with Python
-
AWS CDK per default leverages virtual environments. See how to activate virtualenv
npm install -g aws-cdk && cdk –version
To deploy the development version (cryptographic attestation turned off) of the sample application please follow the steps below:
-
Install the AWS CDK and test the AWS CDK CLI:
npm install -g aws-cdk && cdk –version
-
Download the code from the GitHub repo and change to the new directory:
git clone https://gitlab.aws.dev/proserve-es/publicblockchain/nitro_validator_cdk
-
Change to the nitro_validator_cdk repository:
cd nitro_validator_cdk
-
Install the dependencies using the Python package manager:
pip install -r requirements.txt pip install -r requirements-dev.txt
-
Run linter and code scan on all files
pre-commit run --all-files
-
Build the required binaries for Nitro Enclaves. This step requires a valid local Docker environment.
./scripts/build_kmstool_enclave_cli.sh
After you run this step, a new folder (application/eth2/enclave/kms) is available that contains the required Nitro Enclaves artifacts.
If you encounter a problem with the
build_kmstool_enclave_cli.sh
step, such as a network connectivity issue, you can turn on the debug output of the script by changing set +x to set -x inside the script.For additional information, refer to the GitHub repo.
-
(Optional) If you have deployed the validator key table and KMS key using Generate validator keys for Ethereum with trusted code in AWS Lambda and AWS Signer, modify the code in app.py to specify the
kms_arn
andvalidator_key_table_arn
. Else, skip this step. -
Deploy the sample code with the AWS CDK CLI:
cdk deploy devNitroValidator -O output.json
Production deployment enables cryptographic attestation feature. No console access possible to enclave.
The deployment process is the same as described in the development
section above besides the cdk deployment step
(
step 2 above):
cdk deploy prodNitroSigner -O output.json
Follow all subsequent steps from the dev deployment pointed out above.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.