Skip to main content

Remote Signer

The Remote Signer allows you to isolate signing operations from your Operator Service. Validator keystores do not need to be present directly in the Operator. The Operator can query a remote signer like Web3Signer ↗ to get signatures for validator deposit and exit messages.

Prerequisites

Complete the following steps before proceeding:

IconRequired Setup Steps
  1. Installation → completed
  2. Validators Manager → set
  3. Web3Signer ↗ running and accessible at your specified URL1

Setup Remote Signer

Upload the keystores to a remote signer. If you already have private keys uploaded to the remote signer, proceed to Start Operator Service below.

Example Usage

./operator setup-remote-signer
Example Output
Enter your vault address: 0xf82f6e46d0d0a9536b9ca4bc480372eeafcd9e6c
Enter the URL of the remote signer (e.g. https://signer:9000): https://localhost:9000
Successfully imported 10 keys into remote signer.
Remove local keystores? [y/N]: y
Removed keystores from local filesystem.
Done. Successfully configured operator to use remote signer for 10 public key(s)!

setup-remote-signer Options

  • --remote-signer-url – The URL of the remote signer.
  • --dappnode – Use this flag when running with Dappnode Staking Brain. Must be provided together with the --execution-endpoints flag.
  • --vault – The Vault address.
  • --execution-endpoints – A comma-separated list of API endpoints for execution nodes. Used to retrieve the Vault validator fee recipient. Required only if the --dappnode flag is set.
  • --data-dir – The path where Vault data is stored. Default: ~/.stakewise.
  • --keystores-dir – The directory containing validator keys in the EIP-2335 ↗ standard.

Start Operator Service

Provide the operator with the URL to your remote signer instance using the --remote-signer-url flag:

./operator start-remote-signer \
  --vault=0x834F27bC8670491b75af512d943f01D5383F87Cf \
  --consensus-endpoints=https://consensus-node \
  --execution-endpoints=https://execution-node \
  --remote-signer-url=https://remote-signer:9000

You should see a message similar to this one after starting the operator:

Using remote signer at http://remote-signer:9000 for 20 public keys
IconAdditional Configuration

This setup supports various optional flags to provide more flexibility and customization. See all available options in the Start Operator → setup.

IconSuccessful Configuration

When properly configured, the Operator Service will connect to your remote signer and manage validator operations without requiring local access to private keys.

1. Web3Signer is an open-source remote signing service developed by Consensys, which can sign payloads using secp256k1 and BLS12-381 keys. It supports keys stored either in external vaults or encrypted on disk, and is designed for use with both the Ethereum execution layer and consensus layer.

Last updated on