Skip to main content

Load signing keys

Load signing keys using a key configuration file, or bulk load using the eth1 and eth2 subcommands. Web3Signer supports loading keys with the following methods:

Key storageKey configuration fileBulk load with eth1Bulk load with eth2
Keystore filesxxx
Vaults
Hashicorp Vaultx
Azure Key Vaultxxx
AWS Secrets Managerxx
AWS KMSxx
GCP Secret Managerx
Hardware Security Modules (HSMs)
USB Armory Mk IIx
YubiHSM 2x
note

You can bulk load in combination with using key configuration files.

Use key configuration files

For each signing key, define the parameters to access the key in a key configuration file. You can create a separate configuration file for each key, or specify multiple configurations in a single file by adding a triple-dash separator (---) between configurations.

The configuration file must be YAML-formatted, and can use any naming format, but must have the .yaml extension.

Place one or more key configuration files in a single directory which you specify when starting Web3Signer. Use the --key-store-path option to specify the location of the key configuration files.

web3signer --key-store-path=/Users/me/keyFiles/ eth2

Bulk load keys

Azure Key Vault

You can bulk load keys that are stored in Azure Key Vault using the Web3Signer eth1 subcommand options or eth2 subcommand options.

For eth1 bulk loading, Web3Signer creates Azure keys connections in bulk mode. The Azure keys connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys for eth1 bulk loading with Azure.

For eth2 bulk loading, Web3Signer bulk loads the BLS keys from Azure Secrets. The bulk loading mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line terminating character such as \n. This saves cost when dealing with a large number of keys. Up to 200 keys can be stored under a secret name.

web3signer eth2 --azure-vault-enabled=true --azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11 \
--azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z \
--azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81 \
--azure-vault-name=AzureKeyVault

AWS Secrets Manager

You can bulk load consensus layer keys that are stored in AWS Secrets Manager using the Web3Signer eth2 subcommand options.

The AWS bulk load mode supports loading multiple consensus layer keys from the same secret, if keys are stored with a line terminating character such as \n. This saves cost when dealing with a large number of keys. Up to 200 keys can be stored under a secret name.

web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIA...EXAMPLE \
--aws-secrets-secret-access-key=sk...EXAMPLE \
--aws-secrets-region=us-east-2

AWS Key Management Service

You can bulk load execution layer keys that are stored in the AWS Key Management Service (KMS) using the Web3Signer eth1 subcommand options.

web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \
--aws-kms-secret-access-key=sk...EXAMPLE \
--aws-secrets-region=us-east-2

GCP Secret Manager

You can bulk load consensus layer keys that are stored in the GCP Secret Manager using the Web3Signer eth2 subcommand options.

web3signer eth2 --gcp-secrets-enabled=true --gcp-project-id=AKIA...EXAMPLE

Keystore files

You can bulk load consensus layer or execution layer keys that are stored as keystore files using the Web3Signer eth1 subcommand options or eth2 subcommand options.

web3signer eth2 --keystores-path=/Users/me/keystores \
--keystores-passwords-path=/Users/me/passwds

Use the eth1 or eth2 --keystores-password-file or --keystores-passwords-path command line option to specify keystore passwords.