Load signing keys
Load signing keys using a key configuration file, or bulk load using the eth1
and eth2
subcommands.
Web3Signer supports loading keys with the following methods:
Key storage | Key configuration file | Bulk load with eth1 | Bulk load with eth2 |
---|---|---|---|
Keystore files | x | x | x |
Vaults | |||
Hashicorp Vault | x | ||
Azure Key Vault | x | x | x |
AWS Secrets Manager | x | x | |
AWS KMS | x | x | |
GCP Secret Manager | x | ||
Hardware Security Modules (HSMs) | |||
USB Armory Mk II | x | ||
YubiHSM 2 | x |
You can bulk load in combination with using key configuration files.
Use key configuration files
For each signing key, define the parameters to access the key in a key configuration file.
You can create a separate configuration file for each key, or specify multiple configurations in a
single file by adding a triple-dash separator (---
) between configurations.
The configuration file must be YAML-formatted, and can use any naming format, but must have the .yaml
extension.
Place one or more key configuration files in a single directory which you specify when starting Web3Signer.
Use the --key-store-path
option to specify the
location of the key configuration files.
web3signer --key-store-path=/Users/me/keyFiles/ eth2
Bulk load keys
Azure Key Vault
You can bulk load keys that are stored in Azure Key Vault using the Web3Signer
eth1
subcommand options or
eth2
subcommand options.
For eth1
bulk loading, Web3Signer creates Azure keys connections in bulk mode. The Azure keys
connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys
for eth1
bulk loading with Azure.
For eth2
bulk loading, Web3Signer bulk loads the BLS keys from Azure Secrets. The bulk loading
mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line
terminating character such as \n
.
This saves cost when dealing with a large number of keys.
Up to 200 keys can be stored under a secret name.
- Consensus layer client
- Execution layer client
web3signer eth2 --azure-vault-enabled=true --azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11 \
--azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z \
--azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81 \
--azure-vault-name=AzureKeyVault
web3signer eth1 --azure-vault-enabled=true --azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11 \
--azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z \
--azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81 \
--azure-vault-name=AzureKeyVault
AWS Secrets Manager
You can bulk load consensus layer keys that are stored in AWS Secrets Manager using the Web3Signer
eth2
subcommand options.
The AWS bulk load mode supports loading multiple consensus layer keys from the same secret, if keys
are stored with a line terminating character such as \n
.
This saves cost when dealing with a large number of keys.
Up to 200 keys can be stored under a secret name.
web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIA...EXAMPLE \
--aws-secrets-secret-access-key=sk...EXAMPLE \
--aws-secrets-region=us-east-2
AWS Key Management Service
You can bulk load execution layer keys that are stored in the AWS Key Management Service (KMS) using
the Web3Signer eth1
subcommand options.
web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \
--aws-kms-secret-access-key=sk...EXAMPLE \
--aws-secrets-region=us-east-2
GCP Secret Manager
You can bulk load consensus layer keys that are stored in the GCP Secret Manager using
the Web3Signer eth2
subcommand options.
web3signer eth2 --gcp-secrets-enabled=true --gcp-project-id=AKIA...EXAMPLE
Keystore files
You can bulk load consensus layer or execution layer keys that are stored as keystore files using the Web3Signer
eth1
subcommand options or
eth2
subcommand options.
- Consensus layer client
- Execution layer client
web3signer eth2 --keystores-path=/Users/me/keystores \
--keystores-passwords-path=/Users/me/passwds
web3signer eth1 --keystores-path=/Users/me/keystores \
--keystores-passwords-path=/Users/me/passwds
Use the eth1
or eth2
--keystores-password-file
or --keystores-passwords-path
command line option to specify
keystore passwords.