Use KMS to Store Private Keys and Sign Transactions on Bitcoin
Generate wallets, private keys, blockchain addresses, and sign transactions locally
In this guide, you will learn how to generate wallets, private keys, blockchain addresses, and sign transactions locally using Tatum Key Management System (KMS).
This guide shows how to start using KMS on Bitcoin and similar blockchains.
KMS works on any supported blockchain - and the process is even easier on some.
Process overview and prerequisites
Before you start, we recommend that your review the following sections:
Private Keys and Mnemonic Phrases for general information about risks of using private keys and mnemonics in transactions.
Tatum Key Management System (KMS) to learn how install KMS, how it works, and what it can do.
You will work on the Bitcoin testnet.
With KMS installed, you will go through the following steps:
Generate a managed wallet.
Create a private key.
Generate an address.
Store the private key to your wallet.
Send some test BTC to your new address.
Enable daemon mode.
Initiate a transaction and let KMS sign it.
Get transaction details.
Step 1 - Generate a managed wallet
To generate a wallet that is managed by the KMS, use the generatemanagedwallet
command in CLI mode.
Request
When you first use KMS, you will be prompted to enter a password to encrypt your data. This password is created the first time you enter it, and you should store it in a safe place.
The wallet storage is encrypted with an AEC cipher and is stored on your local server. The password you provide is used to encrypt the mnemonics and private keys inside. If you lose your password, you will lose access to your mnemonics.
Response
The response contains your wallet mnemonic's signature ID as the first parameter:
Step 2 - Create a private key
In this step, you will generate a private key for your wallet locally.
Private keys are used to authorize transfers of funds from blockchain addresses. Use the getprivatekey
command to generate a private key:
Request
The required parameters are:
Your wallet mnemonic's signature ID Signature ID is the first parameter in the Response from Step 1 - Generate a managed wallet.
Response
The response is the private key of the derivation index that you have specified:
Step 3 - Generate an address
In this step, you will create an address for the private key that you just generated. You can receive funds to the address and use the private key to send them from the address.
Use the getaddress
**** command to generate an address for the same derivation index (0) that you specified in Step 2 - Create a private key:
Request
The parameters required are:
Your wallet mnemonic's signature ID
The derivation index of the address you are generating — the same derivation index that you specified in Step 2 - Create a private key.
The response will contain the address you have just generated:
Step 4 - Store the private key to your wallet
You will now store the private key that you have just generated to the wallet using the storemanagedprivatekey
command:
Request
When prompted, enter the private key and the password that you created earlier in this guide:
Enter password + private key
Response
The response will contain the signature ID of the private key, which you can then use to sign transactions.
You can now export the wallet and review it. Enter the following to export:
Request
When prompted, enter your password.
Response
The response will give you details about your wallet:
Step 5 - Send test BTC to your new address
Use a Bitcoin testnet faucet to send some test BTC to your address. You can use any faucet (mobile example).
Send the test BTC to the Bitcoin address that you generated in Step 3 - Generate an address (AAAA3JPvMuwgpKovMTjBBB
).
Step 6 - Enable daemon mode
Daemon mode is essentially KMS running in the background and listening for pending transactions to sign and broadcast them.
Transactions are identified by your API key.
You can filter transactions by blockchain.
To enable daemon mode, enter the following code on your local server:
You must enter the password to unlock the wallet storage. The password is required whenever you start the daemon or restart the daemon after it stopped.
By default, Tatum KMS checks for the pending transactions every 5 seconds using this API call. One API call consumes 1 credit from your monthly credit allowance.
You can change the frequency of the check using the period parameter.
Step 7 - Initiate a transaction and let KMS sign it
You can now send bitcoin from your address to any other address.
To do so, send a bitcoin transaction API request to Tatum.
Request (cURL)
Instead of a privateKey, enter a signatureId field that contains your signature ID from Step 4 - Store the private key to your wallet:
As you can see, there was no private key or mnemonic anywhere in the request, nor was any other sensitive information required.
KMS now detects a new pending transaction, signs it locally and sends the transaction to the blockchain.
KMS must also mark the transaction as processed so that it will not be sent to the blockchain again
Response
When KMS picks up the pending transaction, it will output something like the following sample:
Step 8 - Get transaction details
Using the KMS transaction ID from the id field of the response to the previous request (61fe7c68cf2fbc595cbb89dd
in the example above), you can now use the Get transaction details endpoint to acquire the details of the transaction you have just performed.
Request
Response
The response will contain the details of your transaction:
The response contains a Bitcoin transaction ID in the txId field (f7572ef070d381612b7594940cc73ec008e796b37a73ff031f3855d2a23c9ade
in the example above), which you can use to view the blockchain transaction in any Bitcoin blockchain explorer.
Last updated