Skip to content

Fireblocks API User and CoSigner Setup

Please note that this setup needs access to both majority.com and majority.mobi tenants in Azure. You can switch between the tenants with the following commands:

az login --tenant majority.com

az login --tenant majority.mobi

Setting up API User in the fireblocks console

  1. Prepare CSR and Private key
    openssl req -new -newkey rsa:4096 -nodes -keyout api_private.key -out api_user.csr
  2. Upload the key to the prod-crypto-kv under the secret with name fireblocks-credentials--PrivateKey. Ensure that you upload the key using the az cli. The command is az keyvault secret set --vault-name prod-crypto-kv --name fireblocks-credentials--PrivateKey -f api_private.key . You need to be logged into the majority.com tenant.
  3. Create a new api user on the fireblocks console
  4. When selecting Cosigner, select Propreitary SGX Machine and check on First user on this machine.
  5. Copy the Api User (ID) of the user from the fireblocks console and create or update a secret called fireblocks-credentials--ApiKey

Co Signer setup

  1. Login to the majority.mobi tenant on the azure console. Select the following:
    1. Region: US East 2
    2. Security type: Trusted launch virtual machine (NOT Confidential virtual machine)
    3. Ubuntu Server 22.04 LTS (Confidential VM)
    4. Size: DC Series - Standard_DC2s_v3 or higher
    5. Authentication type: SSH Public key. Do not save this key. We will be using az cli to ssh into the machine.
    6. Storage: 256 GB.
    7. vnet: prod-fireblocks-vnet
    8. NIC network security group: Advanced
    9. Identity: Enable system assigned managed identity
    10. Microsoft Entra ID: Login with Microsoft Entra ID
    11. Extensions: Azure AD based SSH Login. you can also install this after.
  2. Once the vm is deployed, go to the Access Control and add minority-prod-owner as Virtual Machine Administrator Login
  3. SSH into the machine az ssh vm --resource-group prod-fireblocks-rg --name prod-fireblocks-cosigner
  4. Install prerequisites: sudo apt install docker docker-compose
  5. Install uv
    ````
    curl -LsSf https://astral.sh/uv/install.sh | sh

    # Add to your shell profile (~/.bashrc or ~/.zshrc)
    echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc
    source ~/.bashrc

    uv python install 3

    echo 'export PATH="$HOME/.local/share/uv/python:$PATH"' >> ~/.bashrc
    source ~/.bashrc

    # This makes pip/pip3 available to ALL processes. CHANGE YOUR PYTHON VERSION BELOW
    PYTHON_PATH=$(uv python find 3.15)
    PYTHON_BIN=$(dirname $PYTHON_PATH)

    sudo ln -sf $PYTHON_BIN/python3 /usr/local/bin/python3
    sudo ln -sf $PYTHON_BIN/python3 /usr/local/bin/python
    sudo ln -sf $PYTHON_BIN/pip3 /usr/local/bin/pip3
    sudo ln -sf $PYTHON_BIN/pip3 /usr/local/bin/pip

    # Verify (will work in any subprocess)
    which pip3
    which pip
    ````
    6. Follow the instructions here to setup the cosigner - https://developers.fireblocks.com/reference/install-api-cosigner-azure