Skip to main content
This guide moves a validator’s signing from TMKMS, which is deprecated, to Cosmos-KMS, its successor. The migration has three parts: translate the config, get the key into a Cosmos-KMS backend, and cut over with exactly one signer alive at every moment. For what Cosmos-KMS is and why it replaces TMKMS, see Cosmos-KMS and remote signing. The validator node itself needs no changes: both signers speak the same privval protocol to the same priv_validator_laddr listener.

Prerequisites

  • A validator currently signing through TMKMS, with access to its tmkms.toml and state file.
  • Cosmos-KMS installed and initialized with kms init. Remote signing tutorial covers installation, which needs Go 1.26 or later, make, and git.

Map the config

TMKMS configuration in tmkms.toml translates block for block into kms.yaml:

Move the key

The path depends on where TMKMS holds the key today.

From softsign

The softsign backend keeps the key in a file, so this is a format question: whether the Cosmos-KMS file backend reads a tmkms softsign key directly, or the key needs conversion.

From YubiHSM or another HSM

Keys generated inside an HSM are typically non-exportable, which is the point of an HSM. A key that cannot leave the device cannot be moved into AWS KMS or another token. For those keys, migrate by rotation instead: generate a new key in the target custodian and rotate the validator to it on chain, which retires the TMKMS-held key entirely. See Rotate a consensus key, Staking.

Migrate the double-sign state

TMKMS and Cosmos-KMS both track the last signed height, round, and step per chain, and the protection only works if the new signer starts at or above the old signer’s high-water mark.

Cut over

  1. Stop TMKMS and confirm the process is gone. The validator misses blocks from this moment; that is expected and safe.
  2. Start Cosmos-KMS with the completed kms.yaml. It dials the validator and resumes signing.
  3. Confirm signing resumed: the chain includes the validator’s signatures again and the new signer’s state file advances.
Never run TMKMS and Cosmos-KMS at the same time against the same validator key. Each keeps its own last-signed state, so together they can sign the same height, which is a double sign. Stop one fully before starting the other, in both directions, including any rollback.

What can go wrong

  • Both signers briefly alive: the double-sign risk above. Cut over with the old process confirmed dead, not just signaled.
  • The validator stays dark after cutover: the new signer is not reaching the listener. Check the validators[].addr translation and the firewall between the hosts.
  • The signer rejects the key file: the softsign format question above. Do not guess at conversions with a production key.

Next steps