Skip to main content

Remote Signer

The Remote Signer allows you to isolate signing operations from your Operator Service. Validator keystores do not need to be present directly in the Operator. The Operator can query a remote signer like Web3Signer ↗ to get signatures for validator deposit and exit messages.

Prerequisites

Complete the following steps before proceeding:

IconRequired Setup Steps
  1. Installation → completed
  2. Operator Service → prepared
  3. Web3Signer ↗ running and accessible at your specified URL1

Setup Remote Signer

Upload the keystores to a remote signer. If you already have private keys uploaded to the remote signer, proceed to Start Operator Service below.

Example Usage

The following command will import the private keys in the keystores directory to the remote signer. You will see prompt whether to remove local keystores or not. Local keystores may be removed as a result of this command since they no longer need to be present.

./operator remote-signer-setup \
 --vault=0xf27...10ad9 \
 --remote-signer-url=http://signer:9000
Example Output
Enter your vault address: 0xf27...10ad9
Enter the URL of the remote signer (e.g. https://signer:9000): https://localhost:9000
Successfully imported 10 keys into remote signer.
Remove local keystores? [y/N]: y
Removed keystores from local filesystem.
Done. Successfully configured operator to use remote signer for 10 public key(s)!

remote-signer-setup Options

  • --remote-signer-url – The base URL of the remote signer.
  • --dappnode – Use this flag when running with Dappnode Staking Brain. Must be provided together with the --execution-endpoints flag.
  • --vault – The Vault address.
  • --execution-endpoints – A comma-separated list of API endpoints for execution nodes. Used to retrieve the Vault validator fee recipient. Required only if the --dappnode flag is set.
  • --data-dir – The path where Vault data is stored. Default: ~/.stakewise.
  • --keystores-dir – The absolute path to the directory with all the encrypted keystores. Default is the directory generated with "create-keys" command.

Start Operator Service

Provide the operator with the URL to your remote signer instance using the --remote-signer-url flag:

./operator start --remote-signer-url=http://remote-signer:9000 ...

You should see a message similar to this one after starting the operator:

Using remote signer at http://remote-signer:9000 for 10 public keys
IconSuccessful Configuration

When properly configured, the Operator Service will connect to your remote signer and manage validator operations without requiring local access to private keys.

1. Web3Signer is an open-source remote signing service developed by Consensys, which can sign payloads using secp256k1 and BLS12-381 keys. It supports keys stored either in external vaults or encrypted on disk, and is designed for use with both the Ethereum execution layer and consensus layer.

Last updated on