The KMS Derive Server provides derivation endpoints to derive secrets. It is meant to be run inside an enclave and used by enclave application to derive secrets like wallets.
cargo build --releaseReproducible builds can be done using Nix. The monorepo provides a Nix flake which includes this project and can be used to trigger builds:
nix build -v .#<flavor>.kms.derive-server.<output>Supported flavors:
gnumusl
Supported outputs:
default, same ascompresseduncompressedcompressed, usingupx
$ ./target/release/kms-derive-server --help
Usage: kms-derive-server [OPTIONS] --kms-endpoint <KMS_ENDPOINT> --pcr0 <PCR0> --pcr1 <PCR1> --pcr2 <PCR2> --user-data <USER_DATA>
Options:
--kms-endpoint <KMS_ENDPOINT>
KMS endpoint
--listen-addr <LISTEN_ADDR>
Listening address [default: 127.0.0.1:1100]
--attestation-endpoint <ATTESTATION_ENDPOINT>
Attestation endpoint [default: http://127.0.0.1:1301/attestation/raw]
--secret-path <SECRET_PATH>
Path to X25519 secret file [default: /app/x25519.sec]
--pcr0 <PCR0>
PCR0 of the root server
--pcr1 <PCR1>
PCR1 of the root server
--pcr2 <PCR2>
PCR2 of the root server
--user-data <USER_DATA>
user data of the root server
-h, --help
Print help
-V, --version
Print version
/derive
GET /derive?path=<path>
<binary data of the derived key in response>
/derive/secp256k1
GET /derive/secp256k1?path=<path>
<binary data of the derived key in response>
/derive/ed25519
GET /derive/ed25519?path=<path>
<binary data of the derived key in response>
/derive/x25519
GET /derive/x25519?path=<path>
<binary data of the derived key in response>
This project is licensed under the GNU AGPLv3 or any later version. See LICENSE.txt.