A sidecar daemon for cardano-node that holds KES signing keys in mlocked memory, replacing on-disk key files.
KES (Key Evolving Signature) keys must never be stored on disk: once a key evolution is deleted, an attacker who later compromises the host cannot reconstruct past signatures. KES Agent is a standalone process that keeps the current KES sign key in mlocked RAM, evolves it autonomously every KES period (~36 hours), and hands it to cardano-node over a local Unix socket. Because the key lives only in memory, it survives node restarts without ever touching persistent storage.
For production installation, system hardening, multi-agent setups, and key rotation procedures, see the User Guide.
- Platform: Linux only. Windows builds compile but are not supported and will not work correctly.
- cardano-node: 10.7.1 or later (the first version with KES Agent socket support).
- Haskell toolchain: GHC and Cabal (install via GHCup).
- System libraries:
libsodium,secp256k1, andlibblst.libblstrequires manual installation of headers andlibblst.ainto system-wide locations and apkgconfentry. See the User Guide for details.
Pre-built installer tarballs are available on the Releases page. To build from source instead, follow the steps below.
git clone https://github.com/input-output-hk/kes-agent/ ./kes-agent
cd kes-agent
cabal update
cabal install exe:kes-agent exe:kes-agent-controlkes-agent run \
--service-address /path/to/service.socket \
--control-address /path/to/control.socket \
--cold-verification-key /path/to/cold.vkey \
--genesis-file /path/to/shelley-genesis.jsonkes-agent-control --control-address /path/to/control.socket infocabal test allCopyright INTERSECT 2024-2025.
Licensed under the Apache License, Version 2.0 (the "License"); see the enclosed NOTICE and LICENSE files.