112 | );
113 | }
114 | export default function DocVersionBanner({className}) {
115 | const versionMetadata = useDocsVersion();
116 | if (versionMetadata.banner) {
117 | return (
118 |
122 | );
123 | }
124 | return null;
125 | }
126 |
--------------------------------------------------------------------------------
/static/.nojekyll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Consensys/doc.web3signer/902285b41b43522c0e1cfcf2f15ad3588ebdc153/static/.nojekyll
--------------------------------------------------------------------------------
/static/img/dashboard_hw.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Consensys/doc.web3signer/902285b41b43522c0e1cfcf2f15ad3588ebdc153/static/img/dashboard_hw.png
--------------------------------------------------------------------------------
/static/img/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Consensys/doc.web3signer/902285b41b43522c0e1cfcf2f15ad3588ebdc153/static/img/favicon.ico
--------------------------------------------------------------------------------
/static/img/favicon.svg:
--------------------------------------------------------------------------------
1 |
16 |
--------------------------------------------------------------------------------
/static/img/transparent_background_diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Consensys/doc.web3signer/902285b41b43522c0e1cfcf2f15ad3588ebdc153/static/img/transparent_background_diagram.png
--------------------------------------------------------------------------------
/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | // This file is not used in compilation. It is here just for a nice editor experience.
3 | "extends": "@docusaurus/tsconfig",
4 | "compilerOptions": {
5 | "baseUrl": "."
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/vercel.json:
--------------------------------------------------------------------------------
1 | {
2 | "cleanUrls": true,
3 | "redirects": [
4 | { "source": "/en/latest", "destination": "/", "permanent": true },
5 | { "source": "/en/latest/", "destination": "/", "permanent": true },
6 | {
7 | "source": "/en/latest/:match(.*)",
8 | "destination": "/:match(.*)",
9 | "permanent": true
10 | },
11 | { "source": "/en/stable", "destination": "/", "permanent": true },
12 | { "source": "/en/stable/", "destination": "/", "permanent": true },
13 | {
14 | "source": "/en/stable/:match(.*)",
15 | "destination": "/:match(.*)",
16 | "permanent": true
17 | }
18 | ]
19 | }
20 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/chatbot.mdx:
--------------------------------------------------------------------------------
1 | ---
2 | title: Chatbot
3 | slug: chatbot
4 | ---
5 |
6 | # Chatbot
7 |
8 |
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/concepts/architecture.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Learn more about Web3Signer's architecture.
3 | sidebar_position: 1
4 | ---
5 |
6 | # Architecture
7 |
8 | Web3Signer is a remote signing client comprised of three main components:
9 |
10 | - Remote signer
11 | - Slashing database
12 | - APIs
13 |
14 | ## The remote signer
15 |
16 | The remote signer [loads private keys](../how-to/load-keys.md) into memory and responds to signature requests.
17 | If you are using an [HSM](../how-to/store-keys/hsm/_category_.json) or a [vault](../how-to/store-keys/vaults/_category_.json) for execution layer signing, the keys stay at rest.
18 | This component communicates with the slashing database, the APIs, and the keystore (if used), to coordinate remote signing.
19 |
20 | ## The slashing database
21 |
22 | The [slashing database](./slashing-protection.md) is a Postgres database that tracks which keys have signed messages.
23 | Database locking ensures that when multiple Web3Signer instances load the same keys, only one instance is permitted to sign.
24 |
25 | ## The APIs
26 |
27 | Web3Signer supports REST and [JSON-RPC APIs](../reference/api/_category_.json) to sign consensus layer and execution layer payloads
28 | respectively. These connections should be carefully secured. Web3Signer offers [TLS communication](../how-to/configure-tls.md).
29 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/concepts/slashing-protection.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Learn how slashing protection works in Web3Signer.
3 | sidebar_position: 2
4 | ---
5 |
6 | # Slashing protection
7 |
8 | Slashing refers to penalties that are applied to consensus layer validators that sign conflicting
9 | blocks or attestations.
10 |
11 | Web3Signer provides slashing protection to prevent validators from signing blocks and attestations
12 | based on what it knows has already been signed.
13 | A slashing protection database records each block and attestation signed by a validator.
14 |
15 | Slashing protection is enabled by default, and you are responsible for [creating and maintaining]
16 | the required PostgreSQL database, or you can disable slashing protection by setting
17 | [`--slashing-protection-enabled`](../reference/cli/subcommands.md#slashing-protection-enabled) to `false`.
18 |
19 | :::info
20 |
21 | Web3Signer only supports PostgreSQL for creating the slashing protection database.
22 |
23 | :::
24 |
25 | Multiple Web3Signer instances can connect to the same slashing protection database.
26 | Database locking ensures that if Web3signer instances load the same keys, only one Web3signer
27 | instance actually signs.
28 |
29 |
30 |
31 | [creating and maintaining]: ../how-to/configure-slashing-protection.md
32 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/concepts/tls.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Learn about secure communication using TLS in Web3Signer.
3 | sidebar_position: 3
4 | ---
5 |
6 | # TLS communication
7 |
8 | Web3Signer supports TLS to secure inbound and outbound HTTP JSON-RPC requests, and communication
9 | with HashiCorp Vault.
10 |
11 | Private keys and certificates for client and server TLS connections must be stored in
12 | password-protected PKCS #12 keystores.
13 | You must configure the server (in this example, [Besu](https://besu.hyperledger.org/)) to accept TLS connections.
14 |
15 | Use the command line options to configure TLS on [HTTP JSON-RPC requests](../how-to/configure-tls.md)
16 | and [HashiCorp Vault](../how-to/store-keys/vaults/hashicorp.md).
17 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/get-started/build-from-source.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Build from source
3 | description: Build Web3Signer from the source code.
4 | sidebar_position: 3
5 | ---
6 |
7 | # Build from source
8 |
9 | ## Prerequisites
10 |
11 | - [Java JDK](https://jdk.java.net/)
12 |
13 | :::caution Important
14 |
15 | Web3Signer requires Java 21 or later releases.
16 |
17 | :::
18 |
19 | - [Git](https://git-scm.com/downloads) or [GitHub Desktop](https://desktop.github.com/)
20 |
21 | ## Installation on Linux / Unix / macOS
22 |
23 | ### Clone the Web3Signer repository
24 |
25 | Clone the `Consensys/web3signer` repository:
26 |
27 | ```bash
28 | git clone --recursive https://github.com/Consensys/web3signer.git
29 | ```
30 |
31 | ### Build Web3Signer
32 |
33 | After cloning, go to the `web3signer` directory.
34 |
35 | ```bash
36 | cd web3signer
37 | ```
38 |
39 | Build Web3Signer with the Gradle wrapper `gradlew`:
40 |
41 | ```bash
42 | ./gradlew build
43 | ```
44 |
45 | Go to the distribution directory:
46 |
47 | ```bash
48 | cd build/distributions/
49 | ```
50 |
51 | Expand the distribution archive:
52 |
53 | ```bash
54 | tar -xzf web3signer-.tar.gz
55 | ```
56 |
57 | Move to the expanded folder and display the Web3Signer help to confirm installation.
58 |
59 | ```bash
60 | cd web3signer-/
61 | bin/web3signer --help
62 | ```
63 |
64 | ## Installation on Windows
65 |
66 | ### Install Web3Signer
67 |
68 | Clone the `Consensys/web3signer` repository:
69 |
70 | ```bat
71 | git clone --recursive https://github.com/Consensys/web3signer.git
72 | ```
73 |
74 | ### Build Web3Signer
75 |
76 | Go to the `web3signer` directory:
77 |
78 | ```bat
79 | cd web3signer
80 | ```
81 |
82 | Build Web3Signer with the Gradle wrapper `gradlew`:
83 |
84 | ```bat
85 | ./gradlew build
86 | ```
87 |
88 | :::note
89 |
90 | To run `gradlew`, you must have the **JAVA_HOME** system variable set to the Java installation directory. For example: `JAVA_HOME = C:\Program Files\Java\jdk1.8.0_181`.
91 |
92 | :::
93 |
94 | Go to the distribution directory:
95 |
96 | ```bat
97 | cd build/distributions
98 | ```
99 |
100 | Expand the distribution archive:
101 |
102 | ```bat
103 | tar -xzf web3signer-.tar.gz
104 | ```
105 |
106 | Go to the expanded folder and display the Web3Signer help to confirm installation.
107 |
108 | ```bat
109 | cd web3signer-
110 | bin/web3signer --help
111 | ```
112 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/get-started/install-binaries.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Install binary distribution
3 | description: Install Web3Signer from a binary distribution.
4 | sidebar_position: 1
5 | ---
6 |
7 | # Install binary distribution
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | ## Prerequisites
13 |
14 | - [Java JDK](https://jdk.java.net/)
15 |
16 | :::caution Important
17 |
18 | Web3Signer requires Java 21 or later releases.
19 |
20 | :::
21 |
22 | ## Install binaries
23 |
24 | Download the Web3Signer [packaged binaries](https://github.com/Consensys/web3signer/releases/latest).
25 |
26 | :::tip
27 | View the [**Releases** page](https://github.com/Consensys/web3signer/releases) to download a specific version.
28 | :::
29 |
30 | Unpack the downloaded files and change into the `web3signer-` directory.
31 |
32 | Display Web3Signer command line help to confirm installation:
33 |
34 |
35 |
36 |
37 | ```bash
38 | bin/web3signer --help
39 | ```
40 |
41 |
42 |
43 |
44 | ```bat
45 | bin\web3signer --help
46 | ```
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/get-started/key-best-practices.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Apply best practices to keep keys and Web3Signer secure.
3 | sidebar_position: 5
4 | ---
5 |
6 | # Private key management best practices
7 |
8 | Web3Signer manages validator keys for Ethereum 2.0 staking.
9 | This document outlines best practices for key generation, storage, access control, and system security when using Web3Signer.
10 | The following guidelines help protect your staked assets and supports Ethereum network integrity.
11 |
12 | ## Generate secure BLS keys
13 |
14 | - Use cryptographically secure random number generators for key generation.
15 | - Consider using hardware security modules (HSMs) for key generation to ensure physical security.
16 | - Implement proper key rotation policies to limit the impact of potential key compromises.
17 |
18 | ## Store keys in a vault or HSM
19 |
20 | - Use dedicated key management solutions such as HashiCorp Vault or AWS Key Management Service (KMS).
21 | - Implement encryption for keys at rest and in transit.
22 |
23 | :::note
24 |
25 | Currently, Web3Signer doesn't support direct encryption of keys in storage. This is a known limitation that should be addressed in future updates.
26 |
27 | :::
28 |
29 | - Use hardware security modules (HSMs) for the highest level of key protection, ensuring keys never leave the secure hardware.
30 |
31 | ## Use environment authentication for vaults or HSMs
32 |
33 | - Use environment variables for authentication credentials instead of hardcoding them.
34 | - Implement IAM roles and policies for cloud-based solutions, for example AWS IAM roles for EC2 instances.
35 | - Use Kubernetes secrets or similar container orchestration tools for managing environment variables securely.
36 | - Regularly rotate authentication credentials and limit their scope to the minimum required permissions.
37 |
38 | ## Expose validator signing API on necessary network interfaces only
39 |
40 | - Configure Web3Signer to bind only to specific IP addresses or network interfaces.
41 | - Use firewalls or security groups to restrict inbound traffic to the signing API.
42 | - Implement network segmentation to isolate the signing service from other components.
43 | - Use a reverse proxy to add another layer of security and control.
44 |
45 | ## Enable TLS authentication between validator client and Web3Signer
46 |
47 | - Generate and use strong SSL/TLS certificates for all communications.
48 | - Implement mutual TLS (mTLS) for bidirectional authentication.
49 | - Regularly update and rotate TLS certificates.
50 | - Configure proper cipher suites and TLS versions to ensure strong encryption.
51 |
52 | ## Restrict host access with `--http-host-allowlist`
53 |
54 | - Use the `--http-host-allowlist` option to specify which hostnames are allowed to access the Web3Signer API.
55 | - Regularly review and update the allowlist to maintain tight access control.
56 | - Implement additional network-level access controls to complement this feature.
57 | - Monitor and log all access attempts, especially those from non-allowlisted hosts.
58 |
59 | ## Disable the key manager API or restrict access
60 |
61 | - If you don't need the key manager API, disable it completely using the appropriate configuration option.
62 | - If required, implement strict access controls for the key manager API:
63 | - Use IP allowlisting.
64 | - Implement strong authentication mechanisms, for example API keys and OAuth.
65 | - Apply rate limiting to prevent overuse.
66 | - Regularly audit access logs for the key manager API.
67 |
68 | ## Configure Postgres database with TLS authentication
69 |
70 | - Enable SSL/TLS for all database connections.
71 | - Use strong, unique client certificates for each Web3Signer instance.
72 | - Implement proper certificate validation on both client and server sides.
73 | - Regularly rotate database credentials and certificates.
74 | - Use tools such as pgBouncer with TLS support for connection pooling and additional security.
75 |
76 | ## Restrict access to the key config
77 |
78 | - Implement file system-level permissions to limit read access to only Web3Signer.
79 | - Use encrypted file systems or volume-level encryption for additional protection.
80 | - Implement audit logging for all access attempts to key configuration files.
81 | - Use a secrets management solution to dynamically provide key configurations to Web3Signer.
82 |
83 | ## Run Web3Signer in a secure enclave
84 |
85 | - Use AWS Nitro Enclaves or similar secure computing environments.
86 | - Implement attestation mechanisms to verify the integrity of the enclave.
87 | - Use encrypted communication channels between the enclave and other components.
88 | - Regularly update and patch the enclave environment to address security vulnerabilities.
89 | - Implement proper logging and monitoring solutions that respect the enclave's security boundaries.
90 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/get-started/start-web3signer.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Start Web3Signer
3 | description: Start Web3Signer.
4 | sidebar_position: 4
5 | ---
6 |
7 | # Start Web3Signer
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | :::note
13 | This documentation has been updated in line with the name changes [recommended by the Ethereum
14 | Foundation](https://blog.ethereum.org/2022/01/24/the-great-eth2-renaming/).
15 | The execution layer is formerly "Ethereum 1.0." The consensus layer is formerly "Ethereum 2.0."
16 | :::
17 |
18 | **Prerequisites**:
19 |
20 | - [Signing key configuration files] to access the required signing keys.
21 |
22 | Web3Signer supports consensus layer clients, and execution layer clients, so you
23 | must specify the signing mode, and the location of the signing key configuration files when starting Web3Signer.
24 |
25 |
26 |
27 |
28 | ```bash
29 | web3signer --key-store-path=/Users/me/keyFiles/ eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password
30 | ```
31 |
32 |
33 |
34 |
35 | ```bash
36 | web3signer --key-store-path=/Users/me/keyFiles/ eth1
37 | ```
38 |
39 |
40 |
41 |
42 | In the command line:
43 |
44 | - Use the [`--key-store-path`](../reference/cli/options.md#key-store-path) option to specify the
45 | location of the signing key configuration files.
46 | - Specify the [subcommand] to indicate which signing mode to use.
47 | Valid subcommands are `eth2` and `eth1`.
48 | You can only specify one signing mode when starting Web3Signer.
49 |
50 | ## Consensus layer considerations
51 |
52 | Consensus layer [slashing protection] is enabled by default, and you must specify the details the
53 | [slashing protection database], or disable slashing protection using the
54 | [`--slashing-protection-db-enabled`](../reference/cli/subcommands.md#slashing-protection-enabled)
55 | command line option.
56 |
57 | :::note
58 | Web3Signer also allows you to [bulk load signing keys] stored in Azure Key Vault.
59 | :::
60 |
61 | Start the client, for example [Teku] by specifying the Web3Signer details.
62 |
63 | :::important
64 | If Teku connects to a network other than `mainnet`, then the
65 | [`--network`](../reference/cli/subcommands.md#network) option must be specified, and it must match
66 | the network used by the Teku client.
67 | :::
68 |
69 | ### Public testnets
70 |
71 | If you are running Web3Signer `eth2` mode on a public testnet, then you must specify the `network` option.
72 | It's important that this network matches the one you set up for your validator client.
73 | For example, if you have [Teku set up to run on
74 | Holesky](https://docs.teku.consensys.net/get-started/connect/testnet#sync-the-execution-layer-network)
75 | then you must configure Web3Signer with the Holesky network under the `eth2` subcommand, as in the
76 | following example.
77 |
78 | ```bash
79 | web3signer --key-store-path=/Users/me/keyFiles/ eth2 --network=holesky --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password
80 | ```
81 |
82 | See the [`--network` documentation](../reference/cli/subcommands.md#network) for more information
83 | about this option and the supported networks.
84 |
85 | ## Confirm Web3Signer is running
86 |
87 | Use the [`upcheck`](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Server-Status)
88 | endpoint to confirm Web3Signer is connected and running.
89 |
90 |
91 |
92 |
93 | ```bash
94 | curl -X GET http://localhost:9000/upcheck
95 | ```
96 |
97 |
98 |
99 |
100 | ```json
101 | 200 OK
102 | ```
103 |
104 |
105 |
106 |
107 | Web3Signer by default also performs a health check on the
108 | [slashing protection database].
109 |
110 |
111 |
112 | [Signing key configuration files]: ../how-to/load-keys.md#use-key-configuration-files
113 | [Teku]: https://docs.teku.consensys.net/how-to/use-external-signer/use-web3signer
114 | [subcommand]: ../reference/cli/subcommands.md
115 | [bulk load signing keys]: ../how-to/load-keys.md#bulk-load-keys
116 | [slashing protection]: ../concepts/slashing-protection.md
117 | [slashing protection database]: ../how-to/configure-slashing-protection.md
118 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/get-started/use-docker.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Run Web3Signer from Docker
3 | description: Run Web3Signer using the official Docker image.
4 | sidebar_position: 2
5 | ---
6 |
7 | # Run Web3Signer from Docker image
8 |
9 | A Docker image is provided to run Web3Signer in a Docker container.
10 |
11 | ## Prerequisites
12 |
13 | - [Docker](https://docs.docker.com/install/)
14 |
15 | - MacOS or Linux
16 |
17 | :::caution Important
18 |
19 | The Docker image does not run on Windows.
20 |
21 | :::
22 |
23 | ## Run Docker image
24 |
25 | Display the Web3Signer command line help using the Docker image:
26 |
27 | ```bash
28 | docker run consensys/web3signer:develop --help
29 | ```
30 |
31 | ## Expose listening port
32 |
33 | To use the default listening port (`9000`) or the port specified using `--http-listen-port`, you must expose the listening port.
34 |
35 | To run Web3Signer exposing listening port for access:
36 |
37 | ```bash
38 | docker run -p :9000 consensys/web3signer:develop [options] [subcommand] [options]
39 | ```
40 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/configure-tls.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Configure TLS
3 | description: Configure secure communication using TLS.
4 | sidebar_position: 7
5 | ---
6 |
7 | # Configure TLS
8 |
9 | Configure TLS communication from the command line to allow clients (for example [Teku], a dapp, or
10 | curl) and Web3Signer to communicate securely.
11 |
12 | Web3Signer provides multiple options to configure client TLS access:
13 |
14 | - Specify one or more authorized clients using a [known clients file](#create-the-known-clients-file).
15 | - [Allow all clients with trusted CA certificates to connect].
16 | - [Allow any client to connect].
17 |
18 | This example uses a known clients file to limit access to specified clients.
19 |
20 | :::info
21 | The [Teku tutorial] provides step-by-step instructions to configure the Teku client and Web3Signer
22 | for TLS communication, including creating the required keystores and truststore.
23 | :::
24 |
25 | ## Prerequisites
26 |
27 | **Web3Signer prerequisites**:
28 |
29 | - Web3Signer's password-protected PKCS #12 keystore.
30 | - File containing the keystore password.
31 |
32 | **Client prerequisites**:
33 |
34 | - The client must be configured for TLS.
35 | - Client's PKCS #12 keystore information.
36 |
37 | ## Create the known clients file
38 |
39 | Create a file (in this example, `knownClients.txt`) that lists one or more clients that are trusted
40 | to connect to Web3Signer.
41 | The file can contain clients that use trusted CA or self-signed certificates.
42 |
43 | The file contents use the format `` where:
44 |
45 | - `` is the Common Name used for the client's keystore
46 | - `` is the SHA-256 fingerprint of the client's keystore.
47 |
48 | ```bash
49 | curl_client DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50
50 | ```
51 |
52 | You can use [OpenSSL](https://www.openssl.org/) or
53 | [keytool](https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html) to display the
54 | client's Common Name and fingerprint.
55 | For example:
56 |
57 | ```bash
58 | keytool -list -v -keystore -storetype PKCS12 -storepass
59 | ```
60 |
61 | ## Start Web3Signer
62 |
63 | ```bash
64 | web3signer --key-store-path=/Users/me/keyFiles/ \
65 | --tls-keystore-file=/Users/me/certs/web3signerKeystore.p12 \
66 | --tls-keystore-password-file=/Users/me/certs/password.txt \
67 | --tls-known-clients-file=/Users/me/certs/knownClients.txt
68 | ```
69 |
70 | The command line:
71 |
72 | - Specifies the location of the signing key configuration files using the
73 | [`--key-store-path`](../reference/cli/options.md#key-store-path) option.
74 | - Specifies the Web3Signer keystore using the
75 | [`--tls-keystore-file`](../reference/cli/options.md#tls-keystore-file) option.
76 | - Specifies the file that contains the password to decrypt the keystore using the
77 | [`--tls-keystore-password-file`](../reference/cli/options.md#tls-keystore-password-file) option.
78 | - [Specifies the clients](#create-the-known-clients-file) that are trusted to connect to Web3Signer
79 | using the [`tls-known-clients-file`](../reference/cli/options.md#tls-known-clients-file) option.
80 |
81 | :::note
82 | Use the [`--tls-allow-any-client`](../reference/cli/options.md#tls-allow-any-client) option to allow
83 | access to any client, or [`--tls-allow-ca-clients`](../reference/cli/options.md#tls-allow-ca-clients)
84 | to allow access to any client with a trusted CA certificate.
85 |
86 | You can't use [`--tls-allow-any-client`](../reference/cli/options.md#tls-allow-any-client) with
87 | [`tls-known-clients-file`](../reference/cli/options.md#tls-known-clients-file) or
88 | [`--tls-allow-ca-clients`](../reference/cli/options.md#tls-allow-ca-clients).
89 | :::
90 |
91 | ## Server TLS connection
92 |
93 | Allow Web3Signer to send and receive secure HTTP JSON-RPCs from the server (for example Besu).
94 |
95 | :::note
96 | This can only be used when Web3Signer is eth1 mode.
97 | :::
98 |
99 | **Server prerequisites**:
100 |
101 | - [The server must be configured to allow TLS communication](https://besu.hyperledger.org/private-networks/how-to/configure/tls/client-and-server).
102 | - Server's password-protected PKCS #12 keystore information.
103 |
104 | ### Create the known servers file
105 |
106 | Create a file (in this example, `knownServers`) that lists one or more trusted servers.
107 | The file contents use the format `:` where:
108 |
109 | - `` is the server hostname
110 | - `` is the port used for communication
111 | - `` is the SHA-256 fingerprint of the server's certificate.
112 |
113 | ```bash
114 | localhost:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
115 | 127.0.0.1:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
116 | ```
117 |
118 | :::note
119 | Specify both hostname and IP address in the file if unsure which is used in requests.
120 | :::
121 |
122 | ### Start Web3Signer
123 |
124 | ```bash
125 | web3signer eth1 --downstream-http-tls-enabled \
126 | --downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx \
127 | --downstream-http-tls-keystore-password-file=/Users/me/my_node/keyPassword \
128 | --downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers
129 | ```
130 |
131 | The command line:
132 |
133 | - Enables TLS using the
134 | [`--downstream-http-tls-enabled`](../reference/cli/subcommands.md#downstream-http-tls-enabled) option.
135 | - Specifies the keystore to present during authentication using the
136 | [`--downstream-http-tls-keystore-file`](../reference/cli/subcommands.md#downstream-http-tls-keystore-file) option.
137 | - Specifies the file that contains the password to decrypt the keystore using the
138 | [`--downstream-http-tls-keystore-password-file`](../reference/cli/subcommands.md#downstream-http-tls-keystore-password-file) option.
139 | - [Specifies the servers](#create-the-known-servers-file) to connect to using the
140 | [`--downstream-http-tls-known-servers-file`](../reference/cli/subcommands.md#downstream-http-tls-known-servers-file) option.
141 |
142 | :::note
143 | The [`--downstream-http-tls-ca-auth-enabled`](../reference/cli/subcommands.md#downstream-http-tls-ca-auth-enabled)
144 | option is `true` by default and allows connections to servers with trusted root CAs.
145 | :::
146 |
147 |
148 |
149 | [Allow all clients with trusted CA certificates to connect]: ../reference/cli/options.md#tls-allow-ca-clients
150 | [Allow any client to connect]: ../reference/cli/options.md#tls-allow-any-client
151 | [Teku]: https://docs.teku.consensys.net/
152 | [Teku tutorial]: https://docs.teku.consensys.net/tutorials/configure-external-signer-tls
153 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/load-keys.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Load signing keys
3 | description: Load BLS12-381 and secp256k1 signing keys.
4 | sidebar_position: 3
5 | ---
6 |
7 | # Load signing keys
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | Load signing keys using a [key configuration file], or bulk load using the [`eth1` and `eth2` subcommands].
13 | Web3Signer supports loading keys with the following methods:
14 |
15 | | Key storage | Key configuration file | Bulk load with `eth1` | Bulk load with `eth2` |
16 | |--------------------------------------|:----------------------:|:---------------------:|:---------------------:|
17 | | [Keystore files] | x | x | x |
18 | | **Vaults** | | | |
19 | | [Hashicorp Vault] | x | | |
20 | | [Azure Key Vault] | x | x | x |
21 | | [AWS Secrets Manager] | x | | x |
22 | | [AWS KMS] | x | x | |
23 | | [GCP Secret Manager] | | | x |
24 | | **Hardware Security Modules (HSMs)** | | | |
25 | | [USB Armory Mk II] | x | | |
26 | | [YubiHSM 2] | x | | |
27 |
28 | :::note
29 | You can bulk load in combination with using key configuration files.
30 | :::
31 |
32 | ## Use key configuration files
33 |
34 | For each signing key, define the parameters to access the key in a [key configuration file].
35 | You can create a separate configuration file for each key, or specify multiple configurations in a
36 | single file by adding a triple-dash separator (`---`) between configurations.
37 |
38 | The configuration file must be YAML-formatted, and can use any naming format, but must have the `.yaml` extension.
39 |
40 | Place one or more key configuration files in a single directory which you specify when starting Web3Signer.
41 | Use the [`--key-store-path`](../reference/cli/options.md#key-store-path) option to specify the
42 | location of the key configuration files.
43 |
44 | ```bash
45 | web3signer --key-store-path=/Users/me/keyFiles/ eth2
46 | ```
47 |
48 | ## Bulk load keys
49 |
50 | ### Azure Key Vault
51 |
52 | You can bulk load keys that are stored in Azure Key Vault using the Web3Signer
53 | [`eth1` subcommand options](../reference/cli/subcommands.md#eth1) or
54 | [`eth2` subcommand options](../reference/cli/subcommands.md#eth2).
55 |
56 | For `eth1` bulk loading, Web3Signer creates Azure keys connections in bulk mode. The Azure keys
57 | connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys
58 | for `eth1` bulk loading with Azure.
59 |
60 | For `eth2` bulk loading, Web3Signer bulk loads the BLS keys from Azure Secrets. The bulk loading
61 | mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line
62 | terminating character such as `\n`.
63 | This saves cost when dealing with a large number of keys.
64 | Up to 200 keys can be stored under a secret name.
65 |
66 |
67 |
68 |
69 |
70 | ```bash
71 | web3signer eth2 --azure-vault-enabled=true --azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11 \
72 | --azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z \
73 | --azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81 \
74 | --azure-vault-name=AzureKeyVault
75 | ```
76 |
77 |
78 |
79 |
80 | ```bash
81 | web3signer eth1 --azure-vault-enabled=true --azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11 \
82 | --azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z \
83 | --azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81 \
84 | --azure-vault-name=AzureKeyVault
85 | ```
86 |
87 |
88 |
89 |
90 | ### AWS Secrets Manager
91 |
92 | You can bulk load consensus layer keys that are stored in AWS Secrets Manager using the Web3Signer
93 | [`eth2` subcommand options](../reference/cli/subcommands.md#eth2).
94 |
95 | The AWS bulk load mode supports loading multiple consensus layer keys from the same secret, if keys
96 | are stored with a line terminating character such as `\n`.
97 | This saves cost when dealing with a large number of keys.
98 | Up to 200 keys can be stored under a secret name.
99 |
100 | ```bash
101 | web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIA...EXAMPLE \
102 | --aws-secrets-secret-access-key=sk...EXAMPLE \
103 | --aws-secrets-region=us-east-2
104 | ```
105 |
106 | ### AWS Key Management Service
107 |
108 | You can bulk load execution layer keys that are stored in the AWS Key Management Service (KMS) using
109 | the Web3Signer [`eth1` subcommand options](../reference/cli/subcommands.md#eth1).
110 |
111 | ```bash
112 | web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \
113 | --aws-kms-secret-access-key=sk...EXAMPLE \
114 | --aws-secrets-region=us-east-2
115 | ```
116 |
117 | ### GCP Secret Manager
118 |
119 | You can bulk load consensus layer keys that are stored in the GCP Secret Manager using
120 | the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2).
121 |
122 | ```bash
123 | web3signer eth2 --gcp-secrets-enabled=true --gcp-project-id=AKIA...EXAMPLE
124 | ```
125 |
126 | ### Keystore files
127 |
128 | You can bulk load consensus layer or execution layer keys that are stored as keystore files using the Web3Signer
129 | [`eth1` subcommand options](../reference/cli/subcommands.md#eth1) or
130 | [`eth2` subcommand options](../reference/cli/subcommands.md#eth2).
131 |
132 |
133 |
134 |
135 |
136 | ```bash
137 | web3signer eth2 --keystores-path=/Users/me/keystores \
138 | --keystores-passwords-path=/Users/me/passwds
139 | ```
140 |
141 |
142 |
143 |
144 | ```bash
145 | web3signer eth1 --keystores-path=/Users/me/keystores \
146 | --keystores-passwords-path=/Users/me/passwds
147 | ```
148 |
149 |
150 |
151 |
152 | Use the `eth1` or `eth2` `--keystores-password-file` or `--keystores-passwords-path` command line option to specify
153 | keystore passwords.
154 |
155 |
156 |
157 | [key configuration file]: ../reference/key-config-file-params.md
158 | [`eth1` and `eth2` subcommands]: ../reference/cli/subcommands.md
159 | [Azure Key Vault]: #azure-key-vault
160 | [AWS Secrets Manager]: #aws-secrets-manager
161 | [keystore files]: #keystore-files
162 | [AWS KMS]: #aws-key-management-service
163 | [GCP Secret Manager]: #gcp-secret-manager
164 | [Hashicorp Vault]: #use-key-configuration-files
165 | [USB Armory Mk II]: #use-key-configuration-files
166 | [YubiHSM 2]: #use-key-configuration-files
167 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/manage-keys.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Manage consensus layer signing keys
3 | description: Manage consensus layer signing keys.
4 | sidebar_position: 4
5 | ---
6 |
7 | ## Reload new keys
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | If you add new keys to an existing set of validators, or modify the key configuration files, reload
13 | the keys to ensure Web3Signer registers the new or modified keys.
14 | Use the [`reload`](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Reload-Signer-Keys)
15 | endpoint to reload the keys in Web3Signer.
16 |
17 |
18 |
19 |
20 |
21 | ```bash
22 | curl -X POST http://localhost:9000/reload
23 | ```
24 |
25 |
26 |
27 |
28 | ```json
29 | 200 Call is successful
30 | ```
31 |
32 |
33 |
34 |
35 | ## Manage keys using Key Manager API
36 |
37 | You can manage your keys using the [Key Manager API
38 | endpoints](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Keymanager).
39 | You can [list keys](#list-keys), [import keystores](#import-keystores), and [delete keys](#delete-keys).
40 |
41 | Enable the key manager API by running Web3Signer using the
42 | [`--key-manager-api-enabled`](../reference/cli/subcommands.md#key-manager-api-enabled) subcommand option.
43 |
44 | ### List keys
45 |
46 | List all validating public keys known to and decrypted by the keystore using the
47 | [`list keys` endpoint](https://consensys.github.io/web3signer/web3signer-eth2.html#operation/KEYMANAGER_LIST).
48 |
49 |
50 |
51 |
52 |
53 | ```bash
54 | curl -X GET http://localhost:9000/eth/v1/keystores
55 | ```
56 |
57 |
58 |
59 |
60 | ```json
61 | {
62 | "data": [
63 | {
64 | "validating_pubkey": "0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a",
65 | "derivation_path": "m/12381/3600/0/0/0",
66 | "readonly": true
67 | }
68 | ]
69 | }
70 | ```
71 |
72 |
73 |
74 |
75 | ### Import keystores
76 |
77 | Import keystores generated by the consensus layer deposit CLI tooling using the
78 | [`import keystores` endpoint](https://consensys.github.io/web3signer/web3signer-eth2.html#operation/KEYMANAGER_IMPORT).
79 |
80 |
81 |
82 |
83 |
84 | ```bash
85 | curl -X POST http://127.0.0.1:9000/eth/v1/keystores --header "Content-Type: application/json"
86 | --data '{
87 | "keystores": [
88 | "{\"version\":4,\"uuid\":\"9f75a3fa-1e5a-49f9-be3d-f5a19779c6fa\",\"path\":\"m/12381/3600/0/0/0\",\"pubkey\":\"0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a\",\"crypto\":{\"kdf\":{\"function\":\"pbkdf2\",\"params\":{\"dklen\":32,\"c\":262144,\"prf\":\"hmac-sha256\",\"salt\":\"8ff8f22ef522a40f99c6ce07fdcfc1db489d54dfbc6ec35613edf5d836fa1407\"},\"message\":\"\"},\"checksum\":{\"function\":\"sha256\",\"params\":{},\"message\":\"9678a69833d2576e3461dd5fa80f6ac73935ae30d69d07659a709b3cd3eddbe3\"},\"cipher\":{\"function\":\"aes-128-ctr\",\"params\":{\"iv\":\"31b69f0ac97261e44141b26aa0da693f\"},\"message\":\"e8228bafec4fcbaca3b827e586daad381d53339155b034e5eaae676b715ab05e\"}}}"
89 | ],
90 | "passwords": [
91 | "ABCDEFGH01234567ABCDEFGH01234567"
92 | ],
93 | "slashing_protection": "{\"metadata\":{\"interchange_format_version\":\"5\",\"genesis_validators_root\":\"0xcf8e0d4e9587369b2301d0790347320302cc0943d5a1884560367e8208d920f2\"},\"data\":[{\"pubkey\":\"0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a\",\"signed_blocks\":[],\"signed_attestations\":[]}]}"
94 | }'
95 | ```
96 |
97 |
98 |
99 |
100 | ```json
101 | {
102 | "data": [
103 | {
104 | "status": "imported",
105 | "message": "string"
106 | }
107 | ]
108 | }
109 | ```
110 |
111 |
112 |
113 |
114 | ### Delete keys
115 |
116 | Delete keys using the [`delete keys`
117 | endpoint](https://consensys.github.io/web3signer/web3signer-eth2.html#operation/KEYMANAGER_DELETE).
118 |
119 |
120 |
121 |
122 |
123 | ```bash
124 | curl -X DELETE http://localhost:9000/eth/v1/keystores --data '{"pubkeys": ["0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a"]}'
125 | ```
126 |
127 |
128 |
129 |
130 | ```json
131 | {
132 | "data": [
133 | {
134 | "status": "deleted",
135 | "message": "string"
136 | }
137 | ],
138 | "slashing_protection": "{\"metadata\":{\"interchange_format_version\":\"5\",\"genesis_validators_root\":\"0xcf8e0d4e9587369b2301d0790347320302cc0943d5a1884560367e8208d920f2\"},\"data\":[{\"pubkey\":\"0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a\",\"signed_blocks\":[],\"signed_attestations\":[]}]}"
139 | }
140 | ```
141 |
142 |
143 |
144 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/monitor/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Monitor nodes",
3 | "position": 8,
4 | "link": {
5 | "type": "generated-index",
6 | "slug": "/how-to/monitor"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/monitor/logging.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Configure Web3Signer's log level settings and log formatting.
3 | sidebar_position: 2
4 | ---
5 |
6 | # Configure logging
7 |
8 | Web3Signer provides two methods to configure logging:
9 |
10 | - [Basic](#basic-log-level-setting) - changes the log level.
11 | - [Advanced](#advanced-custom-logging) - configures the output and format of the logs.
12 |
13 | ## Basic log level setting
14 |
15 | Use the [`--logging`](../../reference/cli/options.md#logging) command line option to specify logging verbosity.
16 | The [`--logging`](../../reference/cli/options.md#logging) option changes the volume of events
17 | displayed in the log.
18 | Valid log levels are `OFF`, `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`, `ALL`.
19 | The default level is `INFO`.
20 |
21 | ## Advanced custom logging
22 |
23 | You can provide your own logging configuration using the standard Log4J2 configuration mechanisms.
24 |
25 | ```xml
26 |
27 |
28 |
29 | INFO
30 | INFO
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 | ```
65 |
66 | To use your custom configuration, set the environment variable `JAVA_OPTS` to the location of your
67 | configuration file.
68 |
69 | ```bash
70 | export JAVA_OPTS="-Dlog4j.configurationFile="
71 | ```
72 |
73 | The above is an example, you can tune your requirements and create your own
74 | [log4j2 configuration](https://logging.apache.org/log4j/2.x/manual/configuration.html).
75 |
76 | For Bash-based executions, you can set the variable for only the scope of the program execution by
77 | setting it before starting Web3Signer.
78 |
79 | ```bash title="Set the custom logging and start Web3Signer"
80 | JAVA_OPTS="-Dlog4j.configurationFile=/Users/me/debug.xml" web3signer --key-store-path=/Users/me/keyFiles/ eth2
81 | ```
82 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/monitor/metrics.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use metrics
3 | description: Use metrics to monitor Web3Signer's performance.
4 | sidebar_position: 1
5 | ---
6 |
7 | # Use metrics to monitor performance
8 |
9 | Enable the [Prometheus](https://prometheus.io/) monitoring and alerting service for Web3Signer
10 | metrics using the [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option.
11 |
12 | Web3Signer provides metrics for secp256k1 and BLS12-381 key types.
13 |
14 | ## Install Prometheus
15 |
16 | To use Prometheus with Web3Signer, install the [Prometheus main component](https://prometheus.io/download/).
17 | On MacOS, install with [Homebrew](https://formulae.brew.sh/formula/prometheus):
18 |
19 | ```bash
20 | brew install prometheus
21 | ```
22 |
23 | ## Setting up and running Prometheus with Web3Signer
24 |
25 | To configure Prometheus and run with Web3Signer:
26 |
27 | 1. Configure Prometheus to poll Web3Signer.
28 | For example, add the following YAML fragment to the `scrape_configs` block of the `prometheus.yml` file:
29 |
30 | ```yml title="Example configuration"
31 | global:
32 | scrape_interval: 15s
33 | scrape_configs:
34 | - job_name: "prometheus"
35 | static_configs:
36 | - targets: ["localhost:9090"]
37 | - job_name: "web3signer-dev"
38 | scrape_timeout: 10s
39 | metrics_path: /metrics
40 | scheme: http
41 | static_configs:
42 | - targets: ["localhost:9001"]
43 | ```
44 |
45 | 2. [Start Teku] by specifying the Web3Signer details.
46 |
47 | 3. Start Web3Signer with the [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option.
48 |
49 | ```bash
50 | web3signer --key-store-path=/Users/me/keyFiles/ --metrics-enabled
51 | ```
52 |
53 | The `HTTP`, `SIGNING`, `JVM`, and `PROCESS` metrics categories are enabled by default.
54 | Use the [`--metrics-category`](../../reference/cli/options.md#metrics-category) command line
55 | option to update the available categories.
56 |
57 | 4. In another terminal, run Prometheus specifying the `prometheus.yml` file:
58 |
59 | ```bash
60 | prometheus --config.file=prometheus.yml
61 | ```
62 |
63 | 5. View the [Prometheus graphical interface](#view-prometheus-graphical-interface).
64 |
65 | ## Run Prometheus with Web3Signer in push mode
66 |
67 | The [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option enables Prometheus
68 | polling of Besu, but sometimes metrics are hard to poll (for example, when running inside Docker
69 | containers with varying IP addresses). To enable Besu to push metrics to a
70 | [Prometheus push gateway](https://github.com/prometheus/pushgateway), use
71 | the [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) option.
72 |
73 | To configure Prometheus and run with Web3Signer pushing to a push gateway:
74 |
75 | 1. Configure Prometheus to read from a push gateway. For example, add the following YAML fragment to
76 | the `scrape_configs` block of the `prometheus.yml` file:
77 |
78 | ```yml
79 | - job_name: push-gateway
80 | metrics_path: /metrics
81 | scheme: http
82 | static_configs:
83 | - targets:
84 | - localhost:9091
85 | ```
86 |
87 | 1. Start the push gateway. You can deploy the push gateway using the Docker image:
88 |
89 | ```bash
90 | docker pull prom/pushgateway
91 | docker run -d -p 9091:9091 prom/pushgateway
92 | ```
93 |
94 | 1. Start Web3Signer specifying options:
95 | * [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled)
96 | * [`--metrics-push-port`](../../reference/cli/options.md#metrics-push-enabled)
97 | * [`--metrics-push-host`](../../reference/cli/options.md#metrics-push-host)
98 |
99 | 1. In another terminal, run Prometheus specifying the `prometheus.yml` file:
100 |
101 | ```bash
102 | prometheus --config.file=prometheus.yml
103 | ```
104 |
105 | 1. View the [Prometheus graphical interface](#view-prometheus-graphical-interface).
106 |
107 | ## View Prometheus graphical interface
108 |
109 | 1. Open a web browser to `http://localhost:9090` to view the Prometheus graphical interface.
110 |
111 | 2. Choose **Graph** from the menu bar and click the **Console** tab below.
112 |
113 | 3. From the **Insert metric at cursor** drop-down, select a metric and click **Execute**.
114 | The values display.
115 |
116 | The following Web3Signer metrics are available.
117 |
118 | **HTTP API metrics:**
119 |
120 | | Name | Definition |
121 | | --- | --- |
122 | | `_malformed_request_count` | Number of requests received which had illegally formatted body. |
123 | | `_signing_duration` | Duration of a signing event. |
124 | | `_missing_identifier_count` | Number of signing requests for which no keys were available. |
125 | | `signers_loaded_count` | Total number of SECP256k1 and BLS12-381 keys loaded. |
126 | | `signing_private_key_retrieval_time` | Time taken to retrieve BLS signing keys. |
127 |
128 | **Eth2 Slashing protection metrics:**
129 |
130 | | Name | Definition |
131 | | --- | --- |
132 | | `permitted_signings` | The number of slashing checks which have reported 'safe to sign'. |
133 | | `prevented_signings` | The number of prevented signings due to violation of slashing conditions. |
134 |
135 | **Process metrics:**
136 |
137 | | Name | Definition |
138 | | ----------------- | ------------------------------------------ |
139 | | `process_release` | The number of the release version running. |
140 |
141 | ## Visualize collected data
142 |
143 | Use [Grafana] to visualize the collected data. See the sample [Web3Signer Grafana
144 | dashboard](https://grafana.com/grafana/dashboards/13687).
145 |
146 |
147 |
148 | [Start Teku]: https://docs.teku.consensys.net/how-to/use-external-signer/use-web3signer
149 | [Grafana]: https://grafana.com/docs/grafana/latest/guides/getting_started/
150 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/run-at-scale.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Run Web3Signer at scale
3 | description: Configure your instance for better performance at scale.
4 | sidebar_position: 8
5 | ---
6 |
7 | # Run Web3Signer at scale
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | When running Web3Signer at scale with hundreds or thousands of keys, several factors affect attestation
13 | performance on validators. Horizontal scaling reduces request latency on Web3Signer. To maintain low
14 | signing latency and high safety, connect multiple Web3Signer instances to the same slashing database.
15 |
16 | The primary performance cost occurs during startup. More keys increase Web3Signer's startup time, representing
17 | a one-time cost per restart.
18 |
19 | When configuring your environment, consider the startup delay, the number of keys managed, and available system
20 | resources.
21 |
22 | Balancing these factors optimizes system performance and responsiveness. Regular monitoring and tuning
23 | are necessary as the number of managed keys grows or network conditions change.
24 |
25 | ## Database proximity
26 |
27 | The [slashing database](./configure-slashing-protection.md) ensures the safe management of multiple
28 | validators. Optimizing the slashing database reduces latency and overhead, improving overall system performance.
29 |
30 | - **Reduced geographic latency**: Strategically place Web3Signer instances to ensure minimal distance to the slashing protection database.
31 | - **Performance tuning**: Optimize database configurations for rapid access, considering factors such as indexing and connection pooling.
32 |
33 | ## Threading model optimization
34 |
35 | Web3Signer uses [Vertx](https://vertx.io/docs/vertx-core/java/) as its threading framework. While powerful,
36 | Vertx requires proper configuration for optimal performance in different environments. If you encounter
37 | request latency or blocked threads, adjust the [worker pool size](../reference/cli/options.md#vertx-worker-pool-size).
38 |
39 | To manage concurrency, tailor Web3Signer's thread pool size to your expected load. Increase the pool
40 | size if you observe decreased attestation performance during peak signing loads.
41 |
42 | You can implement monitoring tools for dynamic thread adjustments based on current demand and workload.
43 | Measure spikes and adjust the pool accordingly.
44 |
45 | You can use the following [metrics](./monitor/metrics.md):
46 |
47 | - `http_vertx_worker_queue_delay`: The request queue waiting time before processing.
48 | - `http_vertx_worker_pool_completed_total`: The number of queries processed by Web3Signer.
49 |
50 | ## Load balancing
51 |
52 | At scale, deploy multiple Web3Signer instances behind a load balancer. This setup ensures balanced
53 | request distribution. Use an ingress load balancer to spread requests evenly across instances. This
54 | prevents overloading of single instances. Connect all Web3Signer instances to the same slashing database.
55 | This allows parallel signing without slashing risk.
56 |
57 | For more information, see
58 | the [Kiln article](https://www.kiln.fi/post/learnings-from-running-web3signer-at-scale-on-holesky) on
59 | running Web3Signer at scale.
60 |
61 | ## Hardware recommendations
62 |
63 | The Web3Signer team runs nodes managing 10,000 keys on various testnets. For example, a single Azure
64 | Standard D8as v5 VM (8 vCPUs, 32 GiB memory) can host Besu, Teku, and Web3Signer simultaneously.
65 | Your specific use case might require less powerful hardware.
66 |
67 | 
68 |
69 | Web3Signer consumes less than 2 GB of JVM heap while managing 10,000 keys in this setup.
70 |
71 | The test configuration connects one validator client to Web3Signer. Using multiple validator
72 | clients might change resource requirements. Distributing the same 10,000 keys across multiple clients
73 | maintains the total number of requests to Web3Signer.
74 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/hsm/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Store keys in an HSM device",
3 | "position": 2,
4 | "link": {
5 | "type": "generated-index",
6 | "slug": "/how-to/store-keys/hsm"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/hsm/usb-armory.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use USB Armory Mk II
3 | description: Configure Web3Signer to use a USB Armory Mk II device.
4 | sidebar_position: 2
5 | ---
6 |
7 | # Use Web3Signer with USB Armory Mk II
8 |
9 | :::caution USB Armory Mk II deprecation notice
10 | Web3Signer has deprecated private key storage support on USB Armory Mk II and will remove it in a future release.
11 |
12 | If you need this feature, consider maintaining a fork and submitting pull requests. Alternatively, you can
13 | use an older Web3Signer version that supports these storage mechanisms.
14 | :::
15 |
16 | Web3Signer can sign payloads using private keys stored in a [USB Armory Mk II device].
17 | Users must install the [Interlock application] on the device to enable communication with Web3Signer.
18 |
19 | Web3Signer supports using the device as a secure key storage only.
20 |
21 | **Prerequisites**:
22 |
23 | - Install the [Interlock application] on the [USB Armory Mk II device].
24 |
25 | ## Store private key files in USB Armory
26 |
27 | Perform the following steps to use USB Armory to store signing keys:
28 |
29 | 1. Connect to the Interlock web-based file manager on the device. The default URL is `https://10.0.0.1`.
30 | 1. In the device, create a file for each private key using any naming format, and add the private
31 | key unencrypted to the file contents. The `0x` prefix is optional.
32 | 1. [Configure a signing key configuration file] for each signing key that Web3Signer requires access to.
33 |
34 | :::info important
35 | The [USB Armory Mk II device] only allows one connection at a time.
36 | Ensure you log out of the web-based file manager before using the device with Web3Signer.
37 |
38 | Use the `INTERLOCK_CLIENT_TIMEOUT_MS` environment variable to override the Interlock timeout from Web3Signer.
39 | The default is 5000 ms.
40 | :::
41 |
42 | ## Known server file
43 |
44 | The Interlock application by default uses a self-signed certificate.
45 | Web3Signer automatically creates a known server file to trust the Interlock certificate on first
46 | connection to the Interlock application, and uses the file on subsequent connections.
47 |
48 | :::info important
49 | Web3Signer attempts to create the file using the `knownServersFile` key in the [key configuration file].
50 | Ensure the file location is writable by the Web3Signer process.
51 | :::
52 |
53 | Alternatively you can manually create the file and add the certificate details in the format
54 | `:`
55 |
56 | ```bash
57 | 10.0.0.1:443 DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50
58 | ```
59 |
60 | After storing keys,
61 | [load keys into Web3Signer using a key configuration file](../../load-keys.md#use-key-configuration-files).
62 |
63 |
64 |
65 | [USB Armory Mk II device]: https://www.withsecure.com/en/solutions/innovative-security-hardware/usb-armory
66 | [Interlock application]: https://github.com/f-secure-foundry/interlock/blob/master/README.md
67 | [Configure a signing key configuration file]: ../../load-keys.md#use-key-configuration-files
68 | [key configuration file]: ../../../reference/key-config-file-params.md#usb-armory-mk-ii
69 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/hsm/yubihsm2.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use YubiHSM2
3 | description: Configure Web3Signer to use a YubiHSM 2 device.
4 | sidebar_position: 1
5 | ---
6 |
7 | # Use Web3Signer with YubiHSM 2
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | :::caution YubiHSM 2 deprecation notice
13 | Web3Signer has deprecated private key storage support on YubiHSM 2 and will remove it in a future release.
14 |
15 | If you need this feature, consider maintaining a fork and submitting pull requests. Alternatively, you can
16 | use an older Web3Signer version that supports these storage mechanisms.
17 | :::
18 |
19 | Web3Signer can sign payloads using private keys stored in the [YubiHSM 2 hardware security module].
20 | Web3Signer supports using the device as a secure key storage only.
21 |
22 | ## Prerequisites
23 |
24 | Install the [YubiHSM 2 SDK] on the Web3Signer machine.
25 |
26 | ## Store private keys in YubiHSM 2
27 |
28 | [Store private keys in the device] using the `opaque-data` algorithm in `hex` format.
29 | All private keys on the device must be accessible using the same authentication key ID and password.
30 |
31 | The following steps show an example of storing a key in YubiHSM:
32 |
33 | 1. Store a private key in YubiHSM with `object-id=3` and `new-password=password3`, using the
34 | YubiHSM default credentials of `authkey=1` and `password=password`:
35 |
36 |
37 |
38 |
39 | ```bash
40 | yubihsm-shell \
41 | --connector=yhusb:// \
42 | --authkey=1 \
43 | --password=password \
44 | --action=put-authentication-key \
45 | --new-password=password3 \
46 | --object-id=3 \
47 | --domains=1,2,3 \
48 | --delegated=exportable-under-wrap,export-wrapped,import-wrapped \
49 | --capabilities=get-opaque,put-opaque,delete-opaque,export-wrapped,get-pseudo-random,put-wrap-key,import-wrapped
50 | ```
51 |
52 |
53 |
54 |
55 | ```bash
56 | Created session 0
57 | Stored Authentication key 0x0003
58 | ```
59 |
60 |
61 |
62 |
63 | 2. Put the opaque data using `authkey=3` with the opaque `object-ID=15`:
64 |
65 |
66 |
67 |
68 | ```bash
69 | yubihsm-shell \
70 | --connector=yhusb:// \
71 | --authkey=3 \
72 | --password=password3 \
73 | --action=put-opaque \
74 | --object-id=15 \
75 | --label="bls_key_1" \
76 | --domains=1,2,3 \
77 | --algorithm=opaque-data \
78 | --capabilities=none \
79 | --informat=hex --in=5e8d5667ce78982a07242739ab03dc63c91e830c80a5b6adca777e3f216a405d
80 | ```
81 |
82 |
83 |
84 |
85 | ```bash
86 | Session keepalive set up to run every 15 seconds
87 | Created session 0
88 | Stored 32 bytes to Opaque object 0x000f
89 | ```
90 |
91 |
92 |
93 |
94 | 3. Use `authkey=1` to view the inserted data:
95 |
96 |
97 |
98 |
99 | ```bash
100 | yubihsm-shell \
101 | --connector=yhusb:// \
102 | --authkey=1 \
103 | --password=password \
104 | --action=get-opaque \
105 | --object-id=15 \
106 | --outformat=hex
107 | ```
108 |
109 |
110 |
111 |
112 | ```bash
113 | Session keepalive set up to run every 15 seconds
114 | Created session 0
115 | 5e8d5667ce78982a07242739ab03dc63c91e830c80a5b6adca777e3f216a405d
116 | ```
117 |
118 |
119 |
120 |
121 | 4. Identify the location of the `yubihsm_pkcs11` dynamic library.
122 | For example, on Mac, it is installed at `/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib` using the
123 | latest YubiHSM release.
124 |
125 | :::info Note for Mac only
126 | Due to a bug in how the YubiHSM libraries are generated, copy the file to the parent directory (`/usr/local/lib`):
127 |
128 | ```bash
129 | sudo cp /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib /usr/local/lib/
130 | ```
131 |
132 | Create a soft link in the directory from where Web3Signer is running:
133 |
134 | ```bash
135 | ln -s /usr/local/lib/libyubihsm_usb.2.dylib ./libyubihsm_usb.2.dylib
136 | ```
137 |
138 | :::
139 |
140 | 5. Create a [key configuration file for YubiHSM](../../../reference/key-config-file-params.md#yubihsm-2)
141 | in the `keys` subdirectory.
142 |
143 | ```bash
144 | type: yubihsm
145 | connectorUrl: yhusb://
146 | authId: 3
147 | password: password3
148 | opaqueDataId: 15
149 | pkcs11ModulePath: /usr/local/lib/yubihsm_pkcs11.dylib
150 | additionalInitConfig: debug libdebug timeout=5
151 | ```
152 |
153 | 6. Specify the `key-store-path` as the `keys` subdirectory when starting Web3Signer.
154 |
155 | The output displayed indicates one key has been loaded:
156 |
157 | ```bash
158 | 2023-10-04 15:30:27.761+10:00 | pool-2-thread-1 | INFO | SignerLoader | Converting signing metadata to Artifact Signer using parallel streams ...
159 | [P11 - INF 15:30:27.769485] yubihsm_pkcs11.c:266 (C_Initialize): Found 1 configured connector(s)
160 | [LIB - INF 15:30:27.769505] yubihsm.c:4426 (yh_init_connector): Loading usb backend
161 | [LIB - INF 15:30:27.770065] yubihsm_libusb.c:61 (backend_create): backend_create
162 | [LIB - INF 15:30:27.772352] yubihsm_usb.c:48 (backend_connect): backend_connect
163 | [LIB - INF 15:30:27.772364] lib_util.c:178 (parse_usb_url): USB url parsed with serial decimal 0.
164 | ...
165 | 2023-10-04 15:30:28.176+10:00 | pool-2-thread-1 | INFO | DefaultArtifactSignerProvider | Total signers (keys) currently loaded in memory: 1
166 | ```
167 |
168 | ## PKCS#11 driver
169 |
170 | To communicate with the YubiHSM 2 device, Web3Signer uses the PKCS#11 driver to load the
171 | [PKCS#11 module] in the SDK.
172 |
173 | :::info Important
174 | A limitation of the PKCS#11 driver is that it communicates with only one device by loading one
175 | instance of the PKCS#11 module.
176 | If using multiple YubiHSM 2 devices then you must have additional copies of the SDK installation.
177 |
178 | Additionally, the loaded PKCS#11 module can open only one session when communicating with a YubiHSM
179 | 2 device.
180 | Because [key configuration files] are parsed in parallel, the same authentication key ID and
181 | password must be specified in the [key configuration files] for a given device.
182 | :::
183 |
184 |
185 |
186 | [YubiHSM 2 hardware security module]: https://developers.yubico.com/YubiHSM2/
187 | [Store private keys in the device]: https://developers.yubico.com/YubiHSM2/Commands/Put_Opaque.html
188 | [YubiHSM 2 SDK]: https://developers.yubico.com/YubiHSM2/Releases/
189 | [PKCS#11 module]: https://developers.yubico.com/YubiHSM2/Component_Reference/PKCS_11/
190 | [key configuration files]: ../../../reference/key-config-file-params.md#yubihsm-2
191 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Store signing keys
3 | description: Store BLS12-381 and secp256k1 signing keys in Web3Signer.
4 | sidebar_position: 2
5 | keywords: [Hashicorp Vault, Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, YubiHSM, USB Armory Mk II]
6 | ---
7 |
8 | # Store signing keys
9 |
10 | import Tabs from '@theme/Tabs';
11 | import TabItem from '@theme/TabItem';
12 |
13 | :::caution YubiHSM 2 and USB Armory Mk II deprecation notice
14 | Web3Signer has deprecated private key storage support on USB Armory Mk II and YubiHSM 2, and will remove it in a future release.
15 |
16 | If you need this feature, consider maintaining a fork and submitting pull requests. Alternatively, you can
17 | use an older Web3Signer version that supports these storage mechanisms.
18 | :::
19 |
20 | Web3Signer supports BLS12-381 (`Eth2`) or secp256k1 (`Eth1`) signing keys stored in the following ways:
21 |
22 | | Key storage | SECP256K1 | BLS |
23 | |--------------------------------------|:---------:|:---:|
24 | | Raw files | x | x |
25 | | [Keystore files] | x | x |
26 | | **Vaults** | | |
27 | | [Hashicorp Vault] | x | x |
28 | | [Azure Key Vault] | x | x |
29 | | [AWS Secrets Manager] | | x |
30 | | [AWS KMS] | x | |
31 | | [GCP Secret Manager] | | x |
32 | | **Hardware Security Modules (HSMs)** | | |
33 | | [YubiHSM 2] | x | x |
34 | | [USB Armory Mk II] | x | x |
35 |
36 | Web3Signer supports `Eth1` signing from HSMs and vaults, but must load private keys into memory for `Eth2` signing.
37 | Follow [best practices](../../get-started/key-best-practices.md) when storing private keys.
38 |
39 | After storing keys, [load keys into Web3Signer](../load-keys.md).
40 |
41 |
42 |
43 | [Keystore files]: https://github.com/ethereum/EIPs/blob/master/EIPS/eip-2335.md
44 | [HashiCorp Vault]: vaults/hashicorp.md
45 | [Azure Key Vault]: vaults/azure.md
46 | [AWS Secrets Manager]: vaults/aws/secrets-manager-consensus-layer.md
47 | [AWS KMS]: vaults/aws/kms-execution-layer.md
48 | [GCP Secret Manager]: vaults/gcp.md
49 | [YubiHSM 2]: hsm/yubihsm2.md
50 | [USB Armory Mk II]: hsm/usb-armory.md
51 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Store keys in an external vault",
3 | "position": 1,
4 | "link": {
5 | "type": "generated-index",
6 | "slug": "/how-to/store-keys/vaults"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/aws/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Use AWS",
3 | "position": 3,
4 | "link": {
5 | "type": "generated-index",
6 | "slug": "/how-to/store-keys/vaults/aws"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/aws/kms-execution-layer.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use AWS Key Management Service
3 | description: Sign execution layer transactions with keys stored in AWS Key Management Service(KMS).
4 | sidebar_position: 2
5 | ---
6 |
7 | # Use Web3Signer with AWS Key Management Service
8 |
9 | Web3Signer supports execution layer signing with secp256k1 keys stored in
10 | [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/).
11 |
12 | The [AWS KMS documentation](https://aws.amazon.com/kms/getting-started/)
13 | provides the information you need to get started.
14 |
15 | ## Load keys from AWS KMS
16 |
17 | Keys stored in AWS KMS can be loaded into Web3Signer by:
18 |
19 | * Using a [key configuration file](../../../load-keys.md#use-key-configuration-files).
20 | * Bulk loading using the [`eth1` subcommand](../../../load-keys.md#aws-key-management-service).
21 |
22 | ## Cache AWS KMS when loading multiple keys
23 |
24 | When loading multiple keys from AWS KMS, the AWS client is created each time.
25 | You can improve performance by caching and reusing the same AWS KMS for each key that
26 | uses the same access key ID and region.
27 |
28 | Set the [`eth1 --aws-connection-cache-size`](../../../../reference/cli/subcommands.md#aws-connection-cache-size-1)
29 | option to the maximum number of AWS KMS connections to cache.
30 | The default is `1`.
31 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use AWS Secrets Manager
3 | description: Sign consensus layer transactions with keys stored in AWS Secrets Manager.
4 | sidebar_position: 1
5 | ---
6 |
7 | # Use Web3Signer with AWS Secrets Manager
8 |
9 | Web3Signer supports consensus layer signing with BLS private keys stored as secrets in [AWS Secrets
10 | Manager](https://aws.amazon.com/secrets-manager/).
11 |
12 | The [AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html)
13 | provides the information you need to get started.
14 |
15 | ## Store a private key in AWS Secrets Manager
16 |
17 | You need an AWS profile to use AWS Secrets Manager.
18 |
19 | Use the [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html)
20 | guide to store a new key in AWS Secrets Manager.
21 |
22 | The following is an example of creating and storing a BLS private key in AWS Secrets Manager, using Java:
23 |
24 | ```java
25 | final String AWS_REGION = "us-east-2";
26 | final String SECRET_VALUE = "0x60b420####################################################25f41d";
27 | final SecretsManagerClient secretsManagerClient =
28 | SecretsManagerClient.builder()
29 | .region(Region.of(AWS_REGION))
30 | .build();
31 | final String secretNamePrefix = "web3signer-aws-integration/";
32 | final String secretName = secretNamePrefix + UUID.randomUUID();
33 | final CreateSecretRequest secretRequest =
34 | CreateSecretRequest.builder().name(secretName).secretString(SECRET_VALUE).build();
35 | secretsManagerClient.createSecret(secretRequest);
36 | ```
37 |
38 | You can also store multiple BLS private keys under same secret name when using
39 | [AWS bulk loading mode](../../../load-keys.md#aws-secrets-manager).
40 |
41 | The keys must be separated with a line terminating character such as `\n`.
42 | This saves cost when dealing with a large number of keys. Up to 200 keys can be stored under same
43 | secret name.
44 |
45 | The following Java program modifies the previous example to store two BLS keys under same secret name:
46 |
47 | ```java
48 | final String AWS_REGION = "us-east-2";
49 | final String SECRET_VALUE = "0x60b420####################################################25f41d\n" +
50 | "0x73d51a####################################################85aba8";
51 | final SecretsManagerClient secretsManagerClient =
52 | SecretsManagerClient.builder()
53 | .region(Region.of(AWS_REGION))
54 | .build();
55 | final String secretNamePrefix = "web3signer-aws-integration/";
56 | final String secretName = secretNamePrefix + UUID.randomUUID();
57 | final CreateSecretRequest secretRequest =
58 | CreateSecretRequest.builder().name(secretName).secretString(SECRET_VALUE).build();
59 | secretsManagerClient.createSecret(secretRequest);
60 | ```
61 |
62 | Specify the following when [configuring the signing key configuration file](../../../load-keys.md#use-key-configuration-files):
63 |
64 | - Authentication mode.
65 | Valid options are `ENVIRONMENT` and `SPECIFIED`.
66 | If using `ENVIRONMENT`, credentials are authenticated using the [default credential provider
67 | chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default).
68 | - Secret name.
69 | - Region to connect to.
70 |
71 | ## Cache AWS Secrets Manager when loading multiple keys
72 |
73 | When loading multiple keys from AWS Secrets Manager, the AWS client is created each time.
74 | You can improve performance by caching and reusing the same AWS Secrets Manager for each key that
75 | uses the same access key ID and region.
76 |
77 | Set the [`eth2 --aws-connection-cache-size`](../../../../reference/cli/subcommands.md#aws-connection-cache-size)
78 | option to the maximum number of AWS Secrets Manager connections to cache.
79 | The default is `1`.
80 |
81 | After storing keys, [load keys into Web3Signer using a key configuration file, or bulk loading keys](../../../load-keys.md).
82 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/azure.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use Azure Key Vault
3 | description: Store keys in Azure Key Vault.
4 | sidebar_position: 2
5 | ---
6 |
7 | # Use Web3Signer with Azure Key Vault
8 |
9 | Web3Signer supports using [Azure Key Vault](https://azure.microsoft.com/en-au/services/key-vault/)
10 | to sign payloads in the following ways:
11 |
12 | - Using Azure Key Vault to perform the signing operation. Supports SECP256K1 signing keys only.
13 | - Fetching the keys from Azure Key Vault and signing locally.
14 |
15 | Web3Signer supports the following authentication modes:
16 |
17 | - [Azure Active Directory managed identity]:
18 | - System-assigned identities
19 | - User-assigned identities
20 | - [Client secret].
21 |
22 | :::info Important
23 | The Azure Active Directory managed identity authentication modes can only be used when fetching keys
24 | from Azure Key Vault and signing locally with Web3Signer.
25 | :::
26 |
27 | ## Store a private key in Azure Key Vault
28 |
29 | [Register Web3Signer as an application] and [add a signing key in Azure Key Vault].
30 |
31 | Take note of the following to specify when [configuring the signing key configuration file] or
32 | [bulk loading signing keys]:
33 |
34 | - Vault name, which is part of the URL (for example `https://.vault.azure.net`).
35 | - Client credentials, which can include:
36 | - Client ID
37 | - Client secret
38 | - Tenant ID
39 |
40 | :::note
41 | Depending on the authentication mode, not all client credentials are available.
42 | :::
43 |
44 | - Key name, which is the name of the secret.
45 |
46 | After storing keys, [load keys into Web3Signer using a key configuration file, or bulk loading keys](../../load-keys.md).
47 |
48 |
49 |
50 | [configuring the signing key configuration file]: ../../load-keys.md#use-key-configuration-files
51 | [bulk loading signing keys]: ../../load-keys.md#azure-key-vault
52 | [Register Web3Signer as an application]: https://docs.microsoft.com/en-us/azure/key-vault/general/authentication
53 | [add a signing key in Azure Key Vault]: https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal#add-a-secret-to-key-vault
54 | [Client secret]: https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
55 | [Azure Active Directory managed identity]: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
56 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/gcp.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use GCP Secret Manager
3 | description: Sign consensus layer transactions with keys stored in GCP Secret Manager.
4 | sidebar_position: 3
5 | ---
6 |
7 | # Use Web3Signer with Google Cloud Platform Secret Manager
8 |
9 | Web3Signer supports consensus layer signing with BLS keys stored in
10 | [Google Cloud Platform (GCP) Secret Manager](https://cloud.google.com/secret-manager).
11 |
12 | The [GCP Secret Manager documentation](https://cloud.google.com/secret-manager/docs)
13 | provides the information you need to get started.
14 |
15 | ## Authentication
16 |
17 | Web3Signer uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication#adc)
18 | to authenticate with GCP Secret Manager. ADC automatically finds credentials and manages token retrieval, enabling
19 | the authentication code to operate across various deployment options without modification.
20 |
21 | ## Load keys from GCP Secret Manager
22 |
23 | Load keys stored in GCP Secret Manager into Web3Signer using the [`eth2` subcommand](../../load-keys.md#gcp-secret-manager)
24 | to bulk load keys.
25 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/store-keys/vaults/hashicorp.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use HashiCorp Vault
3 | description: Store keys in HashiCorp Vault.
4 | sidebar_position: 1
5 | ---
6 |
7 | # Use Web3Signer with HashiCorp Vault
8 |
9 | import Tabs from '@theme/Tabs';
10 | import TabItem from '@theme/TabItem';
11 |
12 | Web3Signer supports storing the signing key in [HashiCorp Vault](https://www.hashicorp.com/products/vault/).
13 |
14 | ## Store a private key in HashiCorp Vault
15 |
16 | After installing [HashiCorp Vault](https://learn.hashicorp.com/vault/getting-started/install) and
17 | [starting the server](https://learn.hashicorp.com/vault/getting-started/dev-server):
18 |
19 |
20 |
21 | 1. Set the `VAULT_ADDR` environment variable using the command displayed after starting the server:
22 |
23 | ```bash
24 | export VAULT_ADDR='http://127.0.0.1:8200'
25 | ```
26 |
27 | 2. Copy or save the root token displayed after starting the server in a file.
28 |
29 | 3. Enable the secret mount point using [KV v2 engine](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
30 | Using Vault CLI, enable the KV v2 `secret` mount point:
31 |
32 | ```bash
33 | vault secrets enable -path=secret kv-v2
34 | ```
35 |
36 | :::note
37 | Use `kv-v2` type as indicated in KV v2 doc. Web3Signer only works with v2 secrets.
38 | :::
39 |
40 | If the engine used is V2, the secret is versioned and you can see the metadata with version field:
41 |
42 | ```bash
43 | vault kv get /secret/web3signerSigningKey
44 | ```
45 |
46 |
47 |
48 |
49 |
50 | ```text
51 | ====== Metadata ======
52 | Key Value
53 | --- -----
54 | created_time 2020-11-27T10:15:59.91752Z
55 | deletion_time n/a
56 | destroyed false
57 | version 1
58 |
59 | ==== Data ====
60 | Key Value
61 | --- -----
62 | value 17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
63 | ```
64 |
65 |
66 |
67 |
68 | ```text
69 | ==== Data ====
70 | Key Value
71 | --- -----
72 | value 17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
73 | ```
74 |
75 |
76 |
77 |
78 | 4. [Write the key in HashiCorp Vault](https://learn.hashicorp.com/vault/getting-started/first-secret)
79 | as a hex string (without `0x` prefix):
80 |
81 |
82 |
83 |
84 |
85 | ```bash
86 | vault kv put secret/web3signerSigningKey value=
87 | ```
88 |
89 |
90 |
91 |
92 | ```bash
93 | vault kv put secret/web3signerSigningKey value=17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
94 | ```
95 |
96 |
97 |
98 |
99 | ## Create the known servers file
100 |
101 | The known servers file is required if TLS is enabled, to disable TLS set
102 | [`tlsEnabled`](../../../reference/key-config-file-params.md#hashicorp-vault) to `false`.
103 |
104 | Specify the location of the known servers file in the
105 | [`tlsKnownServersPath`](../../../reference/key-config-file-params.md#hashicorp-vault) option of the
106 | [signing key configuration file].
107 |
108 | The file contents use the format `:` where:
109 |
110 | - `` is the server hostname.
111 | - `` is the port used for communication.
112 | - `` is the SHA-256 fingerprint of the server's certificate.
113 |
114 | ```
115 | localhost:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
116 | 127.0.0.1:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
117 | ```
118 |
119 | [Start Web3Signer and specify the location of the signing key configuration file].
120 |
121 |
122 |
123 | [signing key configuration file]: ../../load-keys.md#use-key-configuration-files
124 | [Start Web3Signer and specify the location of the signing key configuration file]: ../../../get-started/start-web3signer.md
125 |
126 |
127 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/how-to/use-configuration-file-starting-web3signer.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_label: Use a configuration file for starting Web3Signer
3 | description: Use the Web3Signer configuration file.
4 | sidebar_position: 5
5 | ---
6 |
7 | # Use the Web3Signer configuration file
8 |
9 | Use a YAML configuration file to specify command line options in a file.
10 |
11 | Save the configuration file and reuse it across node startups. Use the
12 | [`--config-file`](../reference/cli/options.md#config-file) option to specify the configuration file location.
13 |
14 | To override an option specified in the configuration file, either specify the same option on the
15 | command line or as an [environment variable](../reference/cli/options.md#specify-options).
16 | For options specified in more than one place, the order of precedence is command line, environment
17 | variable, configuration file.
18 |
19 | ## YAML specification
20 |
21 | The configuration file must be a valid YAML file composed of key/value pairs.
22 | Each key is the same as the corresponding command line option name without the leading dashes (`--`).
23 | For [subcommand options], prefix the key with the name of the subcommand.
24 | For example, `eth1.network=`
25 |
26 | :::info
27 | You can't specify subcommands in the configuration file, you can only specify a subcommand's
28 | associated options.
29 | You must specify the signing key subcommand on the command line.
30 | :::
31 |
32 | Values must conform to YAML specifications for string, numbers, arrays, and booleans.
33 | Specific differences between the command line and the YAML file format are:
34 |
35 | - Comma-separated lists on the command line are string arrays in the YAML file.
36 | - Enclose file paths, hexadecimal numbers, URLs, and <host:port> values in quotes.
37 |
38 | :::tip
39 | The [command line reference](../reference/cli/options.md) includes configuration file examples for each option.
40 | :::
41 |
42 | ```yaml title="Sample YAML configuration file"
43 | # Chain
44 | eth1.chain-id: 2017
45 |
46 | # Signing key locations
47 | key-store-path: "/Users/me/keys"
48 | ```
49 |
50 | Start Web3Signer with a configuration file:
51 |
52 | ```bash
53 | web3signer --config-file=/home/me/config.yaml eth1
54 | ```
55 |
56 |
57 |
58 | [subcommand options]: ../reference/cli/subcommands.md
59 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Web3Signer
3 | description: Web3Signer is an open-source remote signing service for Ethereum.
4 | sidebar_position: 1
5 | slug: /
6 | keywords: [Ethereum remote signer service, external vault support, HSM device support]
7 | ---
8 |
9 | # Web3Signer
10 |
11 | :::caution YubiHSM 2 and USB Armory Mk II deprecation notice
12 | Web3Signer has deprecated private key storage support on USB Armory Mk II and YubiHSM 2, and will remove it in a future release.
13 |
14 | If you need this feature, consider maintaining a fork and submitting pull requests. Alternatively, you can
15 | use an older Web3Signer version that supports these storage mechanisms.
16 | :::
17 |
18 | Web3Signer is an open-source remote signing service developed under the Apache 2.0 license and written in Java.
19 |
20 | ## What can you do with Web3Signer?
21 |
22 | Web3Signer can sign on multiple platforms using private keys stored in an external vault, or encrypted on a disk.
23 |
24 | Web3Signer can sign payloads using secp256k1 and BLS12-381 signing keys, and supports the following platforms:
25 |
26 | - Execution layer (formerly called Ethereum 1.0)
27 | - Consensus layer (formerly called Ethereum 2.0).
28 |
29 | ## New to Web3Signer?
30 |
31 | Get started by running Web3Signer with Docker or installing Web3Signer. You can:
32 |
33 | - [Run Web3Signer from a Docker image](get-started/use-docker.md)
34 | - [Install the binary distribution](get-started/install-binaries.md)
35 | - [Build from source](get-started/build-from-source.md)
36 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/reference/api/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "APIs",
3 | "position": 2,
4 | "link": {
5 | "type": "generated-index",
6 | "slug": "/reference/api"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/reference/api/rest.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Use for signing consensus layer payloads
3 | sidebar_position: 2
4 | ---
5 |
6 | # Web3Signer REST API
7 |
8 | The Web3Signer REST API contains an ETH2 (that is, consensus layer) API, and an ETH1 (that is, execution layer) API.
9 | Use the ETH2 API for signing consensus layer payloads.
10 |
11 | We recommend using the [Web3Signer JSON-RPC API](json-rpc.md) for signing execution layer payloads. The ETH1 REST API
12 | contains a basic signing method but does not implement transaction encoding or create an Ethereum signature.
13 |
14 | ## View the REST API documentation
15 |
16 | View the [REST API documentation] for more information about the available APIs.
17 |
18 | ## Enable Swagger UI
19 |
20 | You can interact with APIs using [Swagger UI].
21 | To do this, set [`--swagger-ui-enabled`](../cli/options.md#swagger-ui-enabled) to `true`.
22 |
23 | Access Swagger UI at `http::/swagger-ui` where:
24 |
25 | - `interface` is specified using [`--http-listen-host`](../cli/options.md#http-listen-host).
26 | - `port` is specified using [`http-listen-port`](../cli/options.md#http-listen-port).
27 |
28 | The default location is `http://localhost:9000/swagger-ui`.
29 |
30 | You can also use tools such as [Postman] or [curl] to interact with Web3Signer APIs.
31 |
32 |
33 |
34 | [REST API documentation]: https://consensys.github.io/web3signer/
35 | [Postman]: https://www.postman.com/
36 | [curl]: https://curl.haxx.se/
37 | [Swagger UI]: https://swagger.io/tools/swagger-ui/
38 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/reference/cli/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Command line",
3 | "position": 1,
4 | "link": {
5 | "type": "generated-index",
6 | "slug": "/reference/cli"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/reference/security-disclosure.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Web3signer security disclosure policy statement
3 | sidebar_position: 4
4 | ---
5 |
6 | # Security disclosure policy
7 |
8 | At Consensys, security is a priority. But regardless of how much effort is put into system security, there may still be vulnerabilities present.
9 | If you discover a vulnerability, we want to know about it so we can take steps to address it as quickly as possible.
10 | You can help us better protect our clients and our systems.
11 |
12 | Please do the following:
13 |
14 | - Email your findings to `security-quorum@consensys.net`. Provide sufficient information to reproduce the problem, so we can resolve it as quickly as possible.
15 | - Do not take advantage of the vulnerability you have discovered.
16 | - Practice responsible disclosure. That is, don’t reveal the problem to others until either:
17 | - We have released a fix for the disclosure, or
18 | - 90 days have passed, or
19 | - We waive responsible disclosure.
20 |
21 | We will acknowledge receipt of your vulnerability report the next business day and send you regular updates about our progress.
22 |
--------------------------------------------------------------------------------
/versioned_docs/version-25.3.0/tutorials/load-launchpad-keystores.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Load Launchpad keystores
3 | description: Load keystores generated using the consensus layer Launchpad tool.
4 | sidebar_position: 1
5 | ---
6 |
7 | # Load Launchpad keystores
8 |
9 | The Staking Launchpad tool is used to create validators that participate in the consensus layer
10 | proof-of-stake network. The tool generates an encrypted keystore file containing the validator details.
11 | Load this keystore into Web3Signer to sign attestations and blocks with the validator details.
12 |
13 | This tutorial uses Teku and Web3Signer to run validators created on the `holesky` testnet.
14 |
15 | **Prerequisites**:
16 |
17 | - [Teku installed].
18 | - [Web3Signer installed].
19 | - Web3Signer [slashing protection database].
20 |
21 | ## 1. Sync the Teku beacon node
22 |
23 | Sync the Teku beacon chain node before submitting your deposit to avoid incurring inactivity
24 | penalties if the validator is unable to perform its duties when the deposit is processed and activated.
25 |
26 | ```bash
27 | teku --network=holesky --metrics-enabled --rest-api-enabled
28 | ```
29 |
30 | ## 2. Generate validators
31 |
32 | This step generates a validator on the `holesky` testnet.
33 | Use the [Holeksy Staking Launchpad](https://holesky.launchpad.ethereum.org/en/) and follow the
34 | step-by-step process to deposit your funds and generate the keystore.
35 |
36 | The process includes installing the consensus layer deposit CLI tool, to generate your validator
37 | keystores locally.
38 | Keystores are generated in the `eth2deposit-cli-/validator_keys` folder.
39 | In this example we generated a keystore named `keystore-m_12381_3600_0_0_0-1606109670.json`
40 |
41 | :::caution important
42 | Remember the password used to create the keystore because you'll need it later.
43 | :::
44 |
45 | ## 3. Create password file
46 |
47 | Create a plain text file that stores the password to decrypt the keystore.
48 | In this example we create the `keystore-m_12381_3600_0_0_0-1606109670.txt` file in the
49 | `eth2deposit-cli-/validator_keys` directory:
50 |
51 | ```txt title="keystore-m_12381_3600_0_0_0-1606109670.txt"
52 | validatorPassword
53 | ```
54 |
55 | :::note
56 | If using Linux or macOS, we recommend setting the file ownership and permission to `400` for
57 | the user running Web3Signer.
58 | :::
59 |
60 | ## 4. Create the key configuration file
61 |
62 | Create a [key configuration file] for each keystore file.
63 | The key configuration file defines the type of signing key being used, and access details.
64 | Store all key configuration files in a single directory.
65 | In this example, the files are stored in `Users/me/keys`:
66 |
67 | ```yaml title="validator.yaml"
68 | type: "file-keystore"
69 | keystoreFile: "/Users/me/eth2deposit-cli-ed5a6d3-darwin-amd64/validator_keys/validator_keys/keystore-m_12381_3600_0_0_0-1606109670.json"
70 | keystorePasswordFile: "/Users/me/eth2deposit-cli-ed5a6d3-darwin-amd64/validator_keys/validator_keys/keystore-m_12381_3600_0_0_0-1606109670.txt"
71 | ```
72 |
73 | :::caution important
74 | The configuration files must be YAML-formatted.
75 | You can use any naming format, but it must have the `.yaml` extension.
76 | :::
77 |
78 | ## 5. Start Web3Signer
79 |
80 | Start Web3Signer and specify the location of the key configuration files and [slashing protection database].
81 |
82 | ```bash
83 | web3signer --key-store-path=/Users/me/keys eth2 --network=holesky --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password
84 | ```
85 |
86 | :::note
87 | Set the [`--slashing-protection-enabled`](../reference/cli/subcommands.md#slashing-protection-enabled)
88 | `eth2` subcommand option to `false` to disable slashing protection.
89 | However, we don't recommend this on Mainnet.
90 | :::
91 |
92 | ## 5. Start Teku
93 |
94 | Start Teku and specify the public keys of the validators that Web3Signer signs attestations and
95 | blocks for, and specify the Web3Signer address.
96 |
97 | ```bash
98 | teku --network=holesky \
99 | --eth1-endpoint=http://localhost:8545 \
100 | --validators-external-signer-public-keys=0xa99a...e44c,0xb89b...4a0b \
101 | --validators-external-signer-url=http://localhost:9000
102 | ```
103 |
104 |
105 |
106 | [Teku installed]: https://docs.teku.consensys.net/get-started/install/install-binaries
107 | [Web3Signer installed]: ../get-started/install-binaries.md
108 | [slashing protection database]: ../how-to/configure-slashing-protection.md
109 | [key configuration file]: ../reference/key-config-file-params.md
110 |
--------------------------------------------------------------------------------
/versioned_sidebars/version-25.3.0-sidebars.json:
--------------------------------------------------------------------------------
1 | {
2 | "docSidebar": [
3 | {
4 | "type": "doc",
5 | "id": "index",
6 | "label": "Introduction"
7 | },
8 | {
9 | "type": "category",
10 | "label": "Get started",
11 | "collapsed": false,
12 | "link": {
13 | "type": "generated-index",
14 | "slug": "/get-started"
15 | },
16 | "items": [
17 | {
18 | "type": "autogenerated",
19 | "dirName": "get-started"
20 | }
21 | ]
22 | },
23 | {
24 | "type": "category",
25 | "label": "How to",
26 | "link": {
27 | "type": "generated-index",
28 | "slug": "/how-to"
29 | },
30 | "items": [
31 | {
32 | "type": "autogenerated",
33 | "dirName": "how-to"
34 | }
35 | ]
36 | },
37 | {
38 | "type": "category",
39 | "label": "Concepts",
40 | "link": {
41 | "type": "generated-index",
42 | "slug": "/concepts"
43 | },
44 | "items": [
45 | {
46 | "type": "autogenerated",
47 | "dirName": "concepts"
48 | }
49 | ]
50 | },
51 | {
52 | "type": "category",
53 | "label": "Tutorials",
54 | "link": {
55 | "type": "generated-index",
56 | "slug": "/tutorials"
57 | },
58 | "items": [
59 | {
60 | "type": "autogenerated",
61 | "dirName": "tutorials"
62 | }
63 | ]
64 | },
65 | {
66 | "type": "category",
67 | "label": "Reference",
68 | "link": {
69 | "type": "generated-index",
70 | "slug": "/reference"
71 | },
72 | "items": [
73 | {
74 | "type": "autogenerated",
75 | "dirName": "reference"
76 | }
77 | ]
78 | },
79 | "chatbot"
80 | ]
81 | }
82 |
--------------------------------------------------------------------------------
/versions.json:
--------------------------------------------------------------------------------
1 | [
2 | "25.3.0"
3 | ]
4 |
--------------------------------------------------------------------------------