priv_validator_laddr listener.
Prerequisites
- A validator currently signing through TMKMS, with access to its
tmkms.tomland state file. - Cosmos-KMS installed and initialized with
kms init. Remote signing tutorial covers installation, which needs Go 1.26 or later, make, and git.
Map the config
TMKMS configuration intmkms.toml translates block for block into kms.yaml:
Move the key
The path depends on where TMKMS holds the key today.From softsign
The softsign backend keeps the key in a file, so this is a format question: whether the Cosmos-KMS file backend reads a tmkms softsign key directly, or the key needs conversion.From YubiHSM or another HSM
Keys generated inside an HSM are typically non-exportable, which is the point of an HSM. A key that cannot leave the device cannot be moved into AWS KMS or another token. For those keys, migrate by rotation instead: generate a new key in the target custodian and rotate the validator to it on chain, which retires the TMKMS-held key entirely. See Rotate a consensus key, Staking.Migrate the double-sign state
TMKMS and Cosmos-KMS both track the last signed height, round, and step per chain, and the protection only works if the new signer starts at or above the old signer’s high-water mark.Cut over
- Stop TMKMS and confirm the process is gone. The validator misses blocks from this moment; that is expected and safe.
- Start Cosmos-KMS with the completed
kms.yaml. It dials the validator and resumes signing. - Confirm signing resumed: the chain includes the validator’s signatures again and the new signer’s state file advances.
Never run TMKMS and Cosmos-KMS at the same time against the same validator key. Each keeps its own last-signed state, so together they can sign the same height, which is a double sign. Stop one fully before starting the other, in both directions, including any rollback.
What can go wrong
- Both signers briefly alive: the double-sign risk above. Cut over with the old process confirmed dead, not just signaled.
- The validator stays dark after cutover: the new signer is not reaching the listener. Check the
validators[].addrtranslation and the firewall between the hosts. - The signer rejects the key file: the softsign format question above. Do not guess at conversions with a production key.
Next steps
- Harden the new setup. See Remote signing best practices.
- Full field reference for the translated config. See the configuration reference.