The KMS Derive Server provides derivation endpoints to derive secrets. It is meant to be run inside an enclave and used by enclave application to derive secrets like wallets.
cargo build --releaseReproducible builds can be done using Nix. The monorepo provides a Nix flake which includes this project and can be used to trigger builds:
nix build -v .#<flavor>.kms.derive-server.<output>Supported flavors:
gnumusl
Supported outputs:
default, same ascompresseduncompressedcompressed, usingupx
$ ./target/release/kms-derive-server --help
Usage: kms-derive-server [OPTIONS]
Options:
--kms-endpoint <KMS_ENDPOINT>
KMS endpoint
--kms-pubkey <KMS_PUBKEY>
KMS X25519 pubkey, hex encoded
--listen-addr <LISTEN_ADDR>
Listening address [default: 127.0.0.1:1100]
--attestation-endpoint <ATTESTATION_ENDPOINT>
Attestation endpoint [default: http://127.0.0.1:1301/attestation/raw]
--secret-path <SECRET_PATH>
Path to X25519 secret file [default: /app/x25519.sec]
--contract-address-file <CONTRACT_ADDRESS_FILE>
file containing enclave verification contract address in hexadecimal
--root-server-config <ROOT_SERVER_CONFIG>
JSON config file containing the root server's details
-h, --help
Print help
-V, --version
Print version
/derive
GET /derive?path=<path>
<binary data of the derived key in response>
/derive/secp256k1
GET /derive/secp256k1?path=<path>
<binary data of the derived key in response>
/derive/ed25519
GET /derive/ed25519?path=<path>
<binary data of the derived key in response>
/derive/x25519
GET /derive/x25519?path=<path>
<binary data of the derived key in response>
This project is licensed under the Apache License, Version 2.0. See LICENSE.txt.