Solution: trying to add a gCloud KMS signer into SigningEthClientLayer, using google KMS to manage the private key and stores it in the hardware.
There are three environment variables need to be setup before using the Google KMS signer
GOOGLE_APPLICATION_CREDENTIALS - a service account credential file to allow server to access the google KMS services.
GOOGLE_KMS_OP_KEY_NAME - the KMS key path of the eth sender operator. For example:
It needs to be matched with the google projects setup to able to access the keys in the google kms.
GOOGLE_KMS_OP_BLOB_KEY_NAME(optional) - the KMS key path of the eth sender blob operator.
Note
The zksync V25 start to introduce the node framework for setup the zk node. There for this PR is only for V24.2.0 on our tesetnet for testing purpose. Later on I will migrate it to the upstream and may using zksync config system instead of the environment variables.
Deployment
During the key setup during the network deployment, we can:
Let KMS generate key itself, and no one can know the private key.
Use ethereum secret key (a 32-bytes seed), convert it into pem format using openssl ec -inform, and then can import it into KMS, it requires setup key_import_job on google cloud console.
Once got keys in the KMS. We can attest/verify the key through the google cloud console.
For the network deploy we will need to setup the converted ethereum address relate to these keys and set into the L1 contracts.
Solution: trying to add a gCloud KMS signer into SigningEthClientLayer, using google KMS to manage the private key and stores it in the hardware.
There are three environment variables need to be setup before using the Google KMS signer
GOOGLE_APPLICATION_CREDENTIALS - a service account credential file to allow server to access the google KMS services. GOOGLE_KMS_OP_KEY_NAME - the KMS key path of the eth sender operator. For example:
The key path format is:
It needs to be matched with the google projects setup to able to access the keys in the google kms.
GOOGLE_KMS_OP_BLOB_KEY_NAME(optional) - the KMS key path of the eth sender blob operator.
Note
The zksync V25 start to introduce the node framework for setup the zk node. There for this PR is only for V24.2.0 on our tesetnet for testing purpose. Later on I will migrate it to the upstream and may using zksync config system instead of the environment variables.
Deployment
During the key setup during the network deployment, we can:
Once got keys in the KMS. We can attest/verify the key through the google cloud console. For the network deploy we will need to setup the converted ethereum address relate to these keys and set into the L1 contracts.