Developer Documentation
Search…
Setting up a Trustee
Trustees are a core component of PAD. PAD relies on sufficient number of Trustees acting honestly. This is a means of decentralising trust. Given their essential role, Trustees should be run by trusted individuals.
We recommend running a Trustee on a Raspberry Pi. The Trustee software will then run as a daemon and periodically queries the PAD server and responds accordingly. The procedure is simple: download the scripts; edit the configuration file; then start the Trustee daemon.
In the following sections, we assume access to the Raspberry Pi is already set up, either with a monitor and mouse or in headless mode via secure shell (SSH) (See this for a tutorial on setting up a headless Raspberry Pi).
Clone the repository
1
[email protected]:~$ git clone https://github.com/sw7group/pad-trustee-node
Copied!
The repository is currently private. Please email [email protected] with your GitHub account name and we will send you a licence to provide access to the repo.
The repository consists of the installer script
install.sh, the NodeJS source code of the Trustee, a template configuration file config/pad-trustee.json and a service file service/pad-trustee.service that makes the Trustee a daemon.Install node.js and npm
1
[email protected]:~$ sudo apt update
2
[email protected]:~$ sudo apt install nodejs npm
Copied!
This will install Node.js and npm (Node Package Manager).
Run the installer
with the command
1
[email protected]:~/pad-trustee-node$ ./install.sh
Copied!
where
~/pad-trustee-node is the location of the downloaded repository.The script
- checks if nvm (Node Version Manager) is installed
- if not, prompts to install nvm. The user can also manually install nvm.
- generates a random ID for the Trustee
- generates the decryption key and signing key
- creates directories that sit the configuration files and Trustee private keys, the source code and the service file
- generates a configuration file with the Trustee's ID and private keys
- installs NodeJS 14 and installs dependencies
- most importantly, display the public details of the Trustee
Copy the last step's output of the installer. This information is
required to register the Trustee on the PAD server. This is a sample output of the installer:
1
Trustee ID:
2
trustee_3d552d143e0102e2
3
Trustee full name:
4
Trustee-3d552d143e0102e2
5
Trustee encryption key:
6
-----BEGIN PUBLIC KEY-----
7
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwvrAS7QgpRx7kWR/447
8
JY7UOZr7DdPRRuDN+zYE85kDh4EBgbgTTBbvk/5wSGg5x5QMR3coAy0HnEqT3Bxb
9
aDu/SH5ep+Ybn/Pfk6ddKjBoFt9j+nvVutprnskuBN5F+zb4YnQnGr9vygdhL74A
10
DLvp0njF3Ab6PZYtv990XrfsE7oBRaXZ+Lx4CV6KiyhDTaOHl7RI854G25O8IS3K
11
VLjjnNK1VTNttODXXJ5yOOk+zMhXHso7diz1fpbkUyg5Ez5Mwj7ksQ9PRFo7jn+P
12
HiAVFSIgd5jk5PSzxo3BozfGouigrjehmpp7HJRk7L5UWwUSUa8xYcPP40FxNZGp
13
YwIDAQAB
14
-----END PUBLIC KEY-----
15
Trustee verification key:
16
-----BEGIN PUBLIC KEY-----
17
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENkqLf3tg3OkCOsVws9c5ImjpKDPj
18
MuKz6R/aQ2PSwSvAOAiPRHZDwApnyr/v74JrY1DwEeqbaIWn2mVp/euhzw==
19
-----END PUBLIC KEY-----
Copied!
Register as a Trustee
Send the information above (Trustee ID, name, and the public keys) to [email protected] Until then, the PAD server will not process requests from the Trustee.
After registration, an Operator can nominate you to be a Trustee of their instance.
Start the Trustee daemon
Reload the list of user services:
1
[email protected]:~/pad-trustee-node$ systemctl --user daemon-reload
Copied!
Then, the Trustee daemon can be started:
1
[email protected]:~/pad-trustee-node$ systemctl --user start pad-trustee
Copied!
The daemon should fail to start:
1
[email protected]:~/pad-trustee-node$ systemctl --user status pad-trustee
2
3
● pad-trustee.service - pad-trustee-node - Trustee service for Privacy-preserving Accountable Decryption (PAD)
4
Loaded: loaded (...; disabled; vendor preset: enabled)
5
Active: activating (auto-restart) since ...
6
Process: ...
7
Main PID: ...
8
9
start.sh[239579]: [Symbol(kCapture)]: false,
10
start.sh[239579]: [Symbol(kNeedDrain)]: false,
11
start.sh[239579]: [Symbol(corked)]: 0,
12
start.sh[239579]: [Symbol(kOutHeaders)]: [Object: null prototype]
13
start.sh[239579]: },
14
start.sh[239579]: data: { ok: false, message: 'Unauthorized' }
15
start.sh[239579]: },
16
start.sh[239579]: isAxiosError: true,
17
start.sh[239579]: toJSON: [Function: toJSON]
18
start.sh[239579]: }
Copied!
This is because we are using the template API key. We should obtain at least one working Trustee API key to get the daemon running properly.
Obtain Trustee API keys
Whenever a PAD instance is created with you nominated as a Trustee, we will send you the instance name and a Trustee API key associated with the instance. You can choose to join and serve the instance or not.
To join a PAD instance as a Trustee, update the configuration file at
~/.pad-trustee/config/pad-trustee.yaml. The instances section shows the list of instances the Trustee is serving. It is a dictionary where the key is the instance name and the value contains the API key.Remove the template instance for the first time. Afterwards, add new entries in the dictionary with the corresponding instance name and API key.
For example, suppose two instances
my-pad-1.0 and my-pad-2.0 have been created by Operators, and the Trustees' API key for them are pad.api.key1 and pad.api.key2. This is how instances should look like in the configuration file:1
instances:
2
my-pad-1.0:
3
api_key: pad.api.key1
4
my-pad-2.0:
5
api_key: pad.api.key2
Copied!
To apply the changes, restart the Trustee daemon:
1
[email protected]:~/pad-trustee-node$ systemctl --user restart pad-trustee
Copied!
Query Trustee status
You can query the Trustee daemon's status using
systemctl:1
[email protected]:~/pad-trustee-node$ systemctl --user status pad-trustee
2
3
● pad-trustee.service - pad-trustee-node - Trustee service for Privacy-preserving Accountable Decryption (PAD)
4
Loaded: loaded (...; disabled; vendor preset: enabled)
5
Active: active (running)
6
...
Copied!
The status
Active: active (running) shows that the daemon is running properly.For a more detailed log of the daemon, you may use
journalctl:1
[email protected]:~/pad-trustee-node$ journalctl --user-unit pad-trustee
Copied!
To see a live update of the log, use the
-f flag. Press Ctrl + C to exit monitoring.1
[email protected]:~/pad-trustee-node$ journalctl -f --user-unit pad-trustee
Copied!
Updating the Trustee code
To update the Trustee code, download/clone the repository again. Then run
patch.sh.The script will copy the up-to-date code over to the source directory of the Trustee daemon. It will then restart the daemon.
(Optional) Enable Trustee daemon to start on boot
You may wish the Trustee daemon to start automatically on boot. To do this, simply use the
enable command in systemctl:1
[email protected]:~$ systemctl --user enable pad-trustee
Copied!
(Optional) Configure the Trustee daemon
- A PEM-encoded string may be used as the keys in the config file instead of specifying a path. For example, instead of having the section
1
trustee:
2
decryption_key_file: /path/to/decryption.pem
Copied!
You may use a key directly like this:
1
trustee:
2
decryption_key: |-
3
-----BEGIN PRIVATE KEY-----
4
# ...
5
-----END PRIVATE KEY-----
Copied!
- You may change the list of instances the Trustee references in the
instancessection. - You may change the
intervalin seconds in which the Trustee queries the PAD server.
Do not setintervaltoo small, otherwise some requests may be blocked by the server because of rate-limiting.
- You may change the path in which the states of the Trustee is stored at
storage.path.
Last modified 7mo ago