Overview
Your API server co-signing components must be executed from an SGX-enabled machine with an SGX driver loaded.
This article describes the steps to configure a compatible cloud-based or on-premises (or "on-prem") server for your API Co-Signer using our supported configurations.
Note
For cloud-based servers, we recommend the Azure cloud-based configuration because Azure offers better RAM and CPU options.
Setup Option 1: Azure Confidential Compute VM
Step 1: Create the Azure VM
Follow this Microsoft installation guide.
- Only the Configure an Intel SGX virtual machine section is required. The necessary settings are listed below.
- You do not need to complete the Connect to the Linux VM or Next Steps sections.
Make sure you have these settings in the Get Started section:
- Image: Ubuntu 20.04 LTS (Canonical)
- Region: Select your region.
- Under the "Advanced" tab: Gen 2
- Size (recommended): Standard_DC4s_v3
Note
Standard_DC4s_v3 isn’t mandatory. Standard_DC4s_v2 also works, but v3 allows for optimized performance and isn’t available out of the box. This requires requesting a quota increase by opening a ticket with the Azure support team. See the official Microsoft documentation for a list of SGX-supported instances.
The final setup window should look like this:
Depending on your needs or geographic location, you may choose a different Size or Region. The minimum hardware requirements are:
- 16Gib memory
- 256GB storage
See the official Microsoft documentation to find which products are available per region.
Step 2: SGX Enablement Verification
After the server creation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).
Setup Option 2: IBM Cloud
Step 1: Create the IBM Cloud server
- On the Dashboard page, select Create Resource.
- Go to IBM Cloud catalog > Compute > Bare Metal Servers.
- In the Server Profile section, select View all profiles.
- Select Intel Xeon E-2174G CPU:
- In the Operating system section, select the following options:
- Vendor: Ubuntu
- Version: 18.04 LTS (64 bit)
- RAM (recommended): 32 GB
- Under Add-ons > Security and business continuity, select the Software Guard Extensions toggle.
- Select Create.
Step 2: SGX Enablement Verification
After the server creation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).
Setup Option 3: On-Prem Server
Note
Fireblocks also supports on-prem servers installed on OVHcLoud providers.
Step 1: On-prem server setup
The requirements for the on-prem server are as follows:
- CPU: Use one of the following processors:
- BIOS:
- Enable Intel SGX (Software Guard Extension)
- Enable DCAP (FLC)
- Disable hyperthreading
- Disable Intel SpeedStep Technology
- Disable Onboard VGA
- OS: Ubuntu 20.04
- Memory (recommended): 16 GB RAM
- Storage (recommended): 128 GB SSD
- SGX Memory (minimum): 2GB EPC
- CPU (minimum): 4 cores
Step 2: SGX Enablement Verification
After the server installation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).
Setup Option 4: Alibaba Security-Enhanced Instance
Important
See this Alibaba Security Enhanced Instance Family Overview document for details on which instance type to select.
Step 1: Create the instance
- On the Workbench page, select Elastic Compute Service.
- On the Overview tab, select Create Instance.
- Select the following options from Custom Launch:
- Region: Select your region.
- Instance Type: Enter "g7t" in "Search by instance type name", then select ecs.g7t.2xlarge (recommended).
- Image: Ubuntu 20.04
- Storage: 256 GiB
- Complete the Networking, System Configurations, and Grouping pages following your organization's policies for each.
- Select Create Instance.
Step 2: SGX Enablement Verification
After the server installation is complete, verify SGX is enabled with the latest supported microcode and DCAP (FLC).
SGX Enablement Verification
After completing your server creation or installation, you need to verify that SGX is enabled on the server. The Fireblocks API Co-Signers listed above can only run on SGX-enabled servers with the latest patches, and verifying your configuration will help ensure you don't run into any potential issues later on.
To verify SGX is enabled:
- Run the following shell commands on the server:
sudo apt update
sudo apt upgrade
sudo apt install cpuid
cpuid -1 | grep -i sgx - Verify the following:
- SGX: Software Guard Extensions supported is true
- SGX_LC: SGX launch config supported is true
Note
Azure Standard_DC*_v2 instances do not support SGX2, but it is not necessary to run the co-signer