Developers
      Back to home
      1. Roseman Labs help center
      2. Developers

      Self-host

      Summary

      Roseman Labs enables secure multi-party computation using three Engines, each deployed by a participating party. A web Platform can be added for management and authentication. Engines scale vertically and communicate via encrypted TCP; VPN connections are recommended. Deployment requires Kubernetes and Helm and we provide configuration for optional software like Traefik, OpenVPN, Grafana, and Loki. The Engine works with standard x86-64 CPU based machines of typically 2-8 CPU cores, 4-64Gi memory, and 20-512GB storage. Setup involves Helm-based installation, key exchange, and verifying Engine connectivity.

      The following sections contain a more detailed explanation of how the Engines are setup. Please feel free to contact our support team (support@rosemanlabs.com) for questions.

      Architecture

      Components

      A Roseman Labs environment is primarily a distributed set of three Engines that perform computation with secret shared data. Our web Platform can be deployed to operate the environment, but it is not strictly required. The Platform is a traditional web application and requires Keycloak to handle authentication and authorization.

      • Engine: The MPC Engine created by Roseman Labs. This component is deployed by each party.
      • Platform
        • Platform: The web Platform created by Roseman Labs
          • Platform frontend: NGINX serving the frontend bundle
          • Platform backend: Node.js backend
          • Platform database: Postgresql database
        • Keycloak: Read more about Keycloak
          • Keycloak: Java application
          • Keycloak database: Postgresql database

      Scaling

      The Engine is deployed as a Statefulset with a single replica. We can scale each Engine's resources by requesting more CPU or memory. It is not possible to scale the Engine by increasing the number of replicas.

      The Platform and Keycloak deployments can scale vertically by requesting more resources or horizontally by increasing the number of replicas (except for their Postgres databases).

      Network configuration

      The Engine nodes communicate to collaboratively perform computations. The connection between Engines is a custom protocol over TCP with TLS encryption. Each party configures their network to open a port for each CPU core of the Engine (see helm show readme rosemanlabs/base-traefik); to avoid opening many ports when using many CPU cores, a VPN sidecar can be used.

       

      Requirements

      Software

      • Kubernetes: We recommend using a managed Kubernetes offering. Kubernetes derivatives such as OpenShift will likely also work but have not been tested.
      • Helm: Refer to helm.sh/docs/intro/install for installation instructions.

      For networking, logging and monitoring Roseman Labs environments the following dependencies are recommended.

      • Traefik: We provide reference configuration for Traefik (see helm show readme rosemanlabs/base-traefik).
      • OpenVPN: We provide sidecar configuration to connect the Engine instances to each other using VPN tunnels.
      • Grafana and Loki: We provide reference configuration to create centralized logging across the parties and a Grafana dashboard to inspect the logs.

      Minimum hardware requirements

      • Architecture Intel or AMD x86-64: The Roseman Labs Docker images support Intel or AMD architectures, but do not support ARM.
      • 2 CPU cores: The Engine can efficiently make use of multiple cores. Each party should request the same number of CPU cores, because each core is connected to the corresponding core of the other parties.
      • 4Gi Memory: The amount of memory the Engine requires depends on data size and type of data analysis operations. The amount of memory used is similar for all three Engines.
      • 20GB Storage: Note that data can become significantly larger by encrypting. Consider all datasets contributed by the parties and any intermediate analysis results saved to disk and multiply by a factor of 5-20x.

      Network requirements

      The network requirements depend on the connectivity model chosen.

      • VPN (preferred): We recommend that you use our standard connectivity model by using the VPN sidecar that we include in our Helm chart. One of the parties needs to provide a VPN server (therefore, accept incoming connections), while the other parties have an outgoing VPN connection. These VPN connections must pass through network perimeters unrestricted. You can also deviate from our standard connectivity model by terminating the VPN at the edge (or by using different technology such as IPsec, etc.), but then you are responsible for ensuring the traffic correctly routes to the pods.

      • Port forwards: You can choose to open the required ports at the edge and forward the traffic to the pod. You should apply IP allowlists to restrict allowed traffic. We do not recommend port forwards since they are less flexible and require additional work when changing the amount of CPU cores, etc.

      In case the web Platform is deployed by a party, then this party will need to allow for incoming connections to the load balancer that handles the web Platform connections.

       

      Installation

      Prerequisites

      • Credentials to the Roseman Labs Helm registry: Please reach out to Roseman Labs support if you have not yet received credentials.
      • Roseman Labs license key: Please reach out to Roseman Labs support if you have not yet received a license key.
      • Secret material: Each Engine requires the following secret material. To generate these secrets run the scripts in /scripts folder of the rosemanlabs/vdl Helm chart:
        • Certificate authority
        • HTTP certificate (certificate, private key and public key)
        • Data masking certificate (certificate and public key)
      • Optional Platform public key: If the web Platform is used the Engine should be configured with the public key of the web Platform as initial approver.

      Steps

      1. Add the Roseman Labs Helm registry helm repo add rosemanlabs https://helm-registry.rosemancloud.com --username <username> --password <password>
      2. Exchange the public keys for the HTTP certificate and data masking certificate with the other parties.
      3. Each of the three parties should install the Engine helm chart in their cluster, follow the instructions in helm show readme rosemanlabs/vdl.
      4. The installation is successful when all Engine deployments are online and connected to each other, each Engine will log Initialization completed when it is ready.

      Optional steps

      1. Configure the Platform public key as initial approver for the Engine.
      2. Configure Loki to centralize logging for the Engine deployments by setting logging.enabled in the values.
      3. Configure Grafana and the Loki Grafana Dashboard as described in the readme of rosemanlabs/vdl.
      4. The party who deploys Engine node0 can also deploy the web Platform and Keycloak. To deploy the Platform and Keycloak follow the instructions in helm show readme rosemanlabs/platforms and helm show readme rosemanlabs/keycloak.

       

      Validation

      The party to deploy node0 can query the Engine directly, a succesful deployment will respond with the following.

      $ kubectl port-forward svc/node0-api 8000:4443
      $ curl https://localhost:8000/api/v1/ -kd '{"mpcinfo":"yes"}'

      {"buildinfo":"Build: v1.17.0","maxint":"9409569905028393238","number_of_parties":3,"threshold":1}