Skip to main content

AWS Nitro API Co-Signer Version Update

  • Updated

IMPORTANT NOTES:

  1. Note that this feature is opt-in, and is therefore not accessible by default to all customers. To enable it, submit a ticket to our Customer Success Manager.
  2. This article will be deprecated by February 28th, 2025. For all API Co-signer documentation, visit this overview article, which also links to updated Co-signer content in the Developer Portal.

Overview

This guide can be both used for the Nitro and KMS versions of our AWS Co-Signer solutions.

Fireblocks regularly updates the API Co-Signer software with additional security measures and new functionality. To check your current API Co-Signer version, run the following command:

head cosigner -n 3 | grep VER

Update methods

Use one of the following methods to update your API Co-Signer software.

  • In-place updates
  • New server
  • Re-imaging Fireblocks software for the same API Co-Signer machine

In-place updates

Retrieve the latest script from the Fireblocks Console and replace the existing script on the API Co-Signer instance. This step ensures you have the latest script version when re-initializing the API Co-Signer.

  1. In the Fireblocks Console, copy the AWS Nitro Co-Signer script from Settings > General.

    Download_Co-Signer_script.png

  2. The in-place update only requires running the following commands: 
    sudo -i

    ./cosigner stop

    ./cosigner start 1.2.0

New server

Fireblocks recommends this method when:

  • You want to upgrade the RAM or CPU of your existing API Co-Signer machine.
  • Your existing API Co-Signer machine is damaged.
  • Your Fireblocks API Co-Signer script version doesn’t support in-place upgrades.

A new server requires creating a new API user as the first user for the machine as described in the AWS KMS setup guide or AWS Nitro setup guide. Then, reassign any Transaction Authorization Policy (TAP) rules from the previous API user to the new one. Learn more about editing existing TAP rules.

If you’re unable to edit your TAP and want to reuse the existing API user, submit a request to Fireblocks Support to invalidate the API key.

Re-imaging Fireblocks software for the same API Co-Signer machine

We recommend using this method when a Fireblocks API Co-Signer version doesn’t support in-place updates and you do not want to replace your machine with another machine.

  1. Contact Fireblocks Support to invalidate the API user set as the first user on this machine.
  2. Remove the following items from your API Co-Signer instance:
      • /databases directory
      • .config.local
      • .revisions
  3. Copy a link to the API Co-Signer script file from your Fireblocks Console.
    1. Go to Settings > General.
    2. Under Download co-signer script select the Copy icon to copy the AWS KMS script file's URL to your clipboard.

      Download_Co-Signer_script.png

  4. Continue with the AWS KMS setup guide or AWS Nitro setup guide.
  5. Re-enroll any other API users that were deployed to the previous machine. Use their newly-generated API secrets and add them as API users to the API Co-Signer machine by using the command: 
    ./cosigner add-user
Was this article helpful?
0 out of 0 found this helpful

Related Articles