Remote Signer

You may not want the operator service to have direct access to the validator keys. Validator keystores do not need to be present directly in the operator. The operator can query a remote signer to get signatures for validator deposit and exit messages.

Prerequisites

Complete the following steps before proceeding:

Required Setup Steps

Setup Remote Signer (Optional)

If you already have private keys uploaded to the remote signer, proceed to Running the Operator below.

Example Usage

./operator setup-remote-signer \
 --vaults=0x3320a...68 \
 --remote-signer-url=http://signer:9000

Example Output

Successfully imported 20 keys into remote signer.
Remove local keystores? [y/N]: y
Removed keystores from local filesystem.
Done. Successfully configured operator to use remote signer for 20 public key(s)!

`setup-remote-signer` Options

--vaults - The Vault address(es)
--remote-signer-url - The base URL of the remote signer, e.g. http://signer:9000
--data-dir - Path where the Vault data is stored. Default is ~/.stakewise
--keystores-dir - The directory with validator keys in the EIP-2335 ↗ standard
--verbose - Enable debug mode. Default is false

Running the Operator

Provide the operator with the URL to your remote signer instance using the --remote-signer-url flag:

./operator start-remote-signer --remote-signer-url=http://remote-signer:9000 ...

You should see a message similar to this one after starting the operator:

Using remote signer at http://remote-signer:9000 for 20 public keys

Successful Configuration

When properly configured, the Operator Service will connect to your remote signer and manage validator operations without requiring local access to private keys.

Prerequisites​

Required Setup Steps

Setup Remote Signer (Optional)​

Example Usage​

setup-remote-signer Options​

Running the Operator​