Skip to main content

Signing key configuration file parameters

A signing key configuration file is a YAML file that defines the parameters to access one or more signing keys.

note

You can specify multiple key configurations in a single configuration file by adding a triple-dash separator (---) between configurations.

Specify a maximum file size limit for your signing key configuration file with the --key-store-config-file-max-size command line option. The default size is 100 MB.

Raw unencrypted files

Stores the private key as an unencrypted value directly in the key configuration file.

type: "file-raw"
keyType: "SECP256K1"
privateKey: "0x25b1166a43c109cb330af8945d364722757c65ed2bfed5444b5a2f057f82d391"
KeyDescription
typeType of configuration file. Use file-raw.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
privateKeyHexadecimal encoded private key string.

Keystore file

Use the private key stored in a keystore file.

type: "file-keystore"
keyType: "SECP256K1"
keystoreFile: "95e57532ede3c1dd879061153f9cfdcdefa9dc5fb9c954a6677bc6641b8d26e39f70b660bbaa732c47277c0096e11400.json"
keystorePasswordFile: "95e57532ede3c1dd879061153f9cfdcdefa9dc5fb9c954a6677bc6641b8d26e39f70b660bbaa732c47277c0096e11400.password”
KeyDescription
typeType of configuration file. Use file-keystore.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
keystoreFileLocation of the keystore file.
keystorePasswordFileText file containing the password to decrypt the keystore file.

HashiCorp Vault

Use the private key stored in HashiCorp Vault.

type: "hashicorp"
keyType: "SECP256K1"
tlsEnabled: "true"
keyPath: "/v1/secret/data/secretPath"
keyName: "secretName"
tlsKnownServersPath: "/Users/me/project/knownhosts"
serverHost: "localhost"
serverPort: "32895"
timeout: "10000"
token: "s.MuZwBqZ0iE1HzvD64v3HMlhT”
KeyDescription
typeType of configuration file. Use hashicorp.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
tlsEnabledEnable or disable TLS. The default is true.
keyPathPath to secret in the HashiCorp Vault containing the private key. Syntax is the same as the path used in HashiCorp KV Secrets Engine Version 2 HTTP API
keyNameName of the key storing the private key in the vault.
tlsKnownServersPathPath to the file containing a list of trusted HashiCorp Vault servers.
serverHostHost of the HashiCorp Vault server.
serverPortPort of the HashiCorp Vault server.
timeoutTimeout in milliseconds for requests to the HashiCorp Vault server.
tokenThe root token displayed by the HashiCorp Vault server.
httpProtocolVersionOverride HTTP protocol version that is used to connect to HashiCorp Vault. Valid values are HTTP_2 and HTTP_1_1. The default is HTTP_2.

Azure Key Vault

Use the private key stored in Azure Key Vault. Supports two signing options:

  • azure-key - Performs the signing in Azure Key Vault. Supports SECP256K1 signing keys only.
  • azure-secret - Web3Signer fetches the keys from the vault and signs locally. Supports SECP256K1 and BLS12-381 signing keys.
type: "azure-secret"
keyType: "BLS"
authenticationMode: "USER_ASSIGNED_MANAGED_IDENTITY"
clientId: "***"
tenantId: "***"
vaultName: "AzureKeyVault"
secretName: "SecretName"
KeyDescription
typeType of configuration file. Use azure-secret or azure-key.
authenticationModeAuthentication type being used. Can only be used with the azure-secret type. Valid options are CLIENT_SECRET, SYSTEM_ASSIGNED_MANAGED_IDENTITY, and USER_ASSIGNED_MANAGED_IDENTITY. The default is CLIENT_SECRET.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is SECP256K1.
clientIdID used to authenticate with Azure Key Vault. Required when using the azure-key type, or when using azure-secret with the CLIENT_SECRET or USER_ASSIGNED_MANAGED_IDENTITY authentication modes.
clientSecretSecret used to access the vault. Required for the CLIENT_SECRET authentication mode.
tenantIdThe tenant ID used to authenticate with Azure Key Vault.
vaultNameName of the vault to access. Sub-domain of vault.azure.net.
secretNameName of the key stored in the Azure Key Vault under Secrets settings. Required when using the azure-secret type.
keyNameName of the key stored in the Azure Key Vault under Keys settings. Required when using the azure-key type.

AWS Secrets Manager

Use the private key stored in AWS Secrets Manager. Supports BLS keys for consensus layer signing.

type: "aws-secret"
authenticationMode: "SPECIFIED"
keyType: "BLS"
accessKeyId: "foo"
secretAccessKey: "bar"
secretName: "SecretName"
region: "us-west-2"
KeyDescription
typeType of configuration file. Use aws-secret.
authenticationModeAuthentication type being used. Valid options are ENVIRONMENT and SPECIFIED. If using ENVIRONMENT, credentials are authenticated using the default credential provider chain. The default authentication type is SPECIFIED.
keyTypeSigning key type. Use BLS.
accessKeyIdYour access key ID.
secretAccessKeyYour secret access key.
secretNameName of the secret.
regionRegion to connect to.

AWS Key Management Service

Use the private key stored in AWS Key Management Service (KMS). Supports SECP256K1 keys for execution layer signing.

type: "aws-kms"
authenticationMode: "SPECIFIED"
accessKeyId: "acc_key_id"
secretAccessKey: "foo"
sessionToken: "sess_token"
kmsKeyId: "bar"
region: "us-east-2"
endpointOverride: "http://localhost:4566"
KeyDescription
typeType of configuration file. Use aws-kms.
authenticationModeAuthentication type being used. Valid options are ENVIRONMENT and SPECIFIED. If using ENVIRONMENT, credentials are authenticated using the default credential provider chain. The default authentication type is SPECIFIED.
accessKeyIdAccess key ID.
secretAccessKeySecret access key.
sessionTokenToken provided by AWS Security Token Service (STS). Optional depending on AWS configuration.
kmsKeyIdAWS Access Key ID to authenticate AWS KMS.
regionRegion to connect to.
endpointOverrideEndpoint override for AWS KMS. Useful for local testing against LocalStack.

YubiHSM 2

Use the private key stored in the YubiHSM 2 hardware security module.

type: yubihsm2
keyType: SECP256K1
connectorUrl: http://localhost:12345
authKey: 2
password: changeme
opaqueObjId: 5
pkcs11ModulePath: /usr/bin/yubihsm-sdk/lib/pkcs11/yubihsm_pkcs11.so
additionalInitConfig: debug libdebug timeout=5
KeyDescription
typeType of configuration file. Use yubihsm2.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
connectorUrlURL of the YubiHSM service. Accepts a URL (http://host:12345) or USB URL (yhusb://serial=13201047) You need a running connector service if you specify an HTTP address. If you specify yhusb://, then Web3Signer picks the first YubiHSM device automatically.
authKeyAuthentication key ID used to open a user session, in decimal format.
passwordThe password for the authentication key.
opaqueObjIdThe object ID of the stored key, in decimal format.
pkcs11ModulePathPath the PKCS#11 module.
additionalInitConfigOptional. Configuration options for the PKCS#11 module.

USB Armory Mk II

Use the private key stored in the USB Armory Mk II hardware security module. Web3Signer requires access to the Interlock application which must be installed on the device in order to access the keys.

type: interlock
interlockUrl: https://10.0.0.1
knownServersFile: ./knownServers.txt
volume: armory
password: usbarmory
keyPath: /key1.txt
KeyDescription
typeType of configuration file. Use interlock.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
interlockUrlURL of the Interlock web-based file manager. The default is https://10.0.0.1.
knownServersFileFile used by Web3Signer to trust the Interlock server certificate. This file is automatically generated if it does not already exist.
volumeName of the Interlock volume.
passwordPassword used to access the Interlock volume.
keyPathPath to the text file containing the BLS or SECP private key (as a HEX encoded string) on the Interlock file manager. These files can be created directly using Interlock from a browser.