Skip to main content

Configuring a server for the API Co-Signer

  • Updated

Overview

Your API server co-signing components must be executed from an SGX-enabled machine with an SGX driver loaded.

This article describes the steps to configure a compatible cloud-based or on-premises (or "on-prem") server for your API Co-Signer using our supported configurations.

Note

For cloud-based servers, we recommend the Azure cloud-based configuration because Azure offers better RAM and CPU options.

Setup Option 1: Azure Confidential Compute VM

Step 1: Create the Azure VM

Follow this Microsoft installation guide.

  • Only the Configure an Intel SGX virtual machine section is required. The necessary settings are listed below.
  • You do not need to complete the Connect to the Linux VM or Next Steps sections.

Make sure you have these settings in the Get Started section:

  1. Image: Ubuntu 20.04 LTS (Canonical)
    image.png
  2. Region: Select your region.
  3. Under the "Advanced" tab: Gen 2
  4. Size (recommended): Standard_DC4s_v3

    Note

    Standard_DC4s_v3 isn’t mandatory. Standard_DC4s_v2 also works, but v3 allows for optimized performance and isn’t available out of the box. This requires requesting a quota increase by opening a ticket with the Azure support team. See the official Microsoft documentation for a list of SGX-supported instances.

The final setup window should look like this:

create_a_virtual_machine.png

Depending on your needs or geographic location, you may choose a different Size or Region. The minimum hardware requirements are:

  • 16Gib memory
  • 256GB storage

See the official Microsoft documentation to find which products are available per region.

Step 2: SGX Enablement Verification

After the server creation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).

Setup Option 2: IBM Cloud

Step 1: Create the IBM Cloud server

  1. On the Dashboard page, select Create Resource.
    Screen_Shot_2021-10-06_at_12.02.53.png
  2. Go to IBM Cloud catalog > Compute > Bare Metal Servers.
    Screen_Shot_2021-10-06_at_12.03.14.png
    Screen_Shot_2021-10-06_at_12.03.27.png
  3. In the Server Profile section, select View all profiles.
    Screen_Shot_2021-10-06_at_12.15.06.png
  4. Select Intel Xeon E-2174G CPU:
    Screen_Shot_2021-10-06_at_12.09.53.png
  5. In the Operating system section, select the following options:
    • Vendor: Ubuntu
    • Version: 18.04 LTS (64 bit)
    • RAM (recommended): 32 GB
      Screen_Shot_2021-10-06_at_12.16.12.png
  6. Under Add-ons > Security and business continuity, select the Software Guard Extensions toggle.
    Screen_Shot_2021-10-06_at_12.15.31.png
  7. Select Create.

Step 2: SGX Enablement Verification

After the server creation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).

Setup Option 3: On-Prem Server

Note

Fireblocks also supports on-prem servers installed on OVHcLoud providers.

Step 1: On-prem server setup

The requirements for the on-prem server are as follows:

Step 2: SGX Enablement Verification

After the server installation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).

Setup Option 4: Alibaba Security-Enhanced Instance

Important

See this Alibaba Security Enhanced Instance Family Overview document for details on which instance type to select.

Step 1: Create the instance

  1. On the Workbench page, select Elastic Compute Service.
    mceclip0.png
  2. On the Overview tab, select Create Instance.
    mceclip2.png
  3. Select the following options from Custom Launch:
    • Region: Select your region.
    • Instance Type: Enter "g7t" in "Search by instance type name", then select ecs.g7t.2xlarge (recommended).
    • Image: Ubuntu 20.04
    • Storage: 256 GiB
      mceclip3.png
  4. Complete the Networking, System Configurations, and Grouping pages following your organization's policies for each.
  5. Select Create Instance.

Step 2: SGX Enablement Verification

After the server installation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).

SGX Enablement Verification

After completing your server creation or installation, you need to verify that SGX is enabled on the server. The Fireblocks API Co-Signers listed above can only run on SGX-enabled servers with the latest patches, and verifying your configuration will help ensure you don't run into any potential issues later on.

To verify SGX is enabled:

  1. Run the following shell commands on the server: 
    sudo apt update
    sudo apt upgrade
    sudo apt install cpuid
    cpuid -1 | grep -i sgx
  2. Verify the following:
    1. SGX: Software Guard Extensions supported is true
    2. SGX_LC: SGX launch config supported is true
      mceclip4.png

Note

Azure Standard_DC*_v2 instances do not support SGX2, but it is not necessary to run the co-signer 

Was this article helpful?
18 out of 23 found this helpful

Related Articles