Remote Signer
The Remote Signer mode lets you isolate validator signing keys from the Operator Service. Instead of storing keystores locally, the Operator queries a remote signer like Web3Signer ↗1 for deposit and exit message signatures.
Prerequisites
Complete the following steps before proceeding:
- Installation → completed
- Operator Service → prepared
- Web3Signer ↗ running and accessible at your specified URL
Setup Remote Signer
Upload the keystores to a remote signer. If you already have private keys uploaded to the remote signer, proceed to Start Operator Service below.
The following command imports private keys from the keystores directory to the remote signer. You will be prompted whether to remove local keystores, since they no longer need to be present.
./operator remote-signer-setup \
--vault=0xf27...10ad9 \
--remote-signer-url=http://signer:9000
Example Output
Enter your vault address: 0xf27...10ad9
Enter the URL of the remote signer (e.g. https://signer:9000): https://localhost:9000
Successfully imported 10 keys into remote signer.
Remove local keystores? [y/N]: y
Removed keystores from local filesystem.
Done. Successfully configured operator to use remote signer for 10 public key(s)!
remote-signer-setup flags
| Flag | Description |
|---|---|
--remote-signer-url | Base URL of the remote signer |
--vault | Vault address |
--dappnode | Use with Dappnode Staking Brain. Requires --execution-endpoints |
--execution-endpoints | Comma-separated execution node API endpoints. Used to retrieve the Vault validator fee recipient. Required with --dappnode |
--data-dir | Path where Vault data is stored. Default: ~/.stakewise |
--keystores-dir | Directory with encrypted keystores. Default is the directory generated with create-keys command |
Start Operator Service
Provide the operator with the URL to your remote signer instance using the --remote-signer-url flag:
./operator start \
--vault=0x834F27bC8670491b75af512d943f01D5383F87Cf \
--consensus-endpoints=https://consensus-node \
--execution-endpoints=https://execution-node \
--remote-signer-url=https://remote-signer:9000
You should see a message similar to this one after starting the operator:
Using remote signer at http://remote-signer:9000 for 10 public keys
For additional configuration, see the full list of optional flags.
1.
Web3Signer is an open-source remote signing service developed by Consensys, which can sign payloads using secp256k1 and BLS12-381 keys. It supports keys stored either in external vaults or encrypted on disk, and is designed for use with both the Ethereum execution layer and consensus layer. ↩