Skip to main content
Version: development

Signing key configuration file parameters

A signing key configuration file is a YAML file that defines the parameters to access one or more signing keys.

note

You can specify multiple key configurations in a single configuration file by adding a triple-dash separator (---) between configurations.

Specify a maximum file size limit for your signing key configuration file with the --key-store-config-file-max-size command line option. The default size is 100 MB.

Raw unencrypted files

Stores the private key as an unencrypted value directly in the key configuration file.

type: "file-raw"
keyType: "SECP256K1"
privateKey: "0x25b1166a43c109cb330af8945d364722757c65ed2bfed5444b5a2f057f82d391"
KeyDescription
typeType of configuration file. Use file-raw.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
privateKeyHexadecimal encoded private key string.

Keystore file

Use the private key stored in a keystore file.

type: "file-keystore"
keyType: "SECP256K1"
keystoreFile: "95e57532ede3c1dd879061153f9cfdcdefa9dc5fb9c954a6677bc6641b8d26e39f70b660bbaa732c47277c0096e11400.json"
keystorePasswordFile: "95e57532ede3c1dd879061153f9cfdcdefa9dc5fb9c954a6677bc6641b8d26e39f70b660bbaa732c47277c0096e11400.password"
KeyDescription
typeType of configuration file. Use file-keystore.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
keystoreFileLocation of the keystore file.
keystorePasswordFileText file containing the password to decrypt the keystore file.

HashiCorp Vault

Use the private key stored in HashiCorp Vault.

type: "hashicorp"
keyType: "SECP256K1"
tlsEnabled: "true"
keyPath: "/v1/secret/data/secretPath"
keyName: "secretName"
tlsKnownServersPath: "/Users/me/project/knownhosts"
serverHost: "localhost"
serverPort: "32895"
timeout: "10000"
token: "s.MuZwBqZ0iE1HzvD64v3HMlhT"
KeyDescription
typeType of configuration file. Use hashicorp.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is BLS.
tlsEnabledEnable or disable TLS. The default is true.
keyPathPath to secret in the HashiCorp Vault containing the private key. Syntax is the same as the path used in HashiCorp KV Secrets Engine Version 2 HTTP API
keyNameName of the key storing the private key in the vault.
tlsKnownServersPathPath to the file containing a list of trusted HashiCorp Vault servers.
serverHostHost of the HashiCorp Vault server.
serverPortPort of the HashiCorp Vault server.
timeoutTimeout in milliseconds for requests to the HashiCorp Vault server.
tokenThe root token displayed by the HashiCorp Vault server.
httpProtocolVersionOverride HTTP protocol version that is used to connect to HashiCorp Vault. Valid values are HTTP_2 and HTTP_1_1. The default is HTTP_2.

Azure Key Vault

Use the private key stored in Azure Key Vault. Supports two signing options:

  • azure-key - Performs the signing in Azure Key Vault. Supports SECP256K1 signing keys only.
  • azure-secret - Web3Signer fetches the keys from the vault and signs locally. Supports SECP256K1 and BLS12-381 signing keys.
type: "azure-secret"
keyType: "BLS"
authenticationMode: "USER_ASSIGNED_MANAGED_IDENTITY"
clientId: "***"
tenantId: "***"
vaultName: "AzureKeyVault"
secretName: "SecretName"
KeyDescription
typeType of configuration file. Use azure-secret or azure-key.
authenticationModeAuthentication type being used. Can only be used with the azure-secret type. Valid options are CLIENT_SECRET, SYSTEM_ASSIGNED_MANAGED_IDENTITY, and USER_ASSIGNED_MANAGED_IDENTITY. The default is CLIENT_SECRET.
keyTypeSigning key type. Valid options are BLS or SECP256K1. The default is SECP256K1.
clientIdID used to authenticate with Azure Key Vault. Required when using the azure-key type, or when using azure-secret with the CLIENT_SECRET or USER_ASSIGNED_MANAGED_IDENTITY authentication modes.
clientSecretSecret used to access the vault. Required for the CLIENT_SECRET authentication mode.
tenantIdThe tenant ID used to authenticate with Azure Key Vault.
vaultNameName of the vault to access. Sub-domain of vault.azure.net.
secretNameName of the key stored in the Azure Key Vault under Secrets settings. Required when using the azure-secret type.
keyNameName of the key stored in the Azure Key Vault under Keys settings. Required when using the azure-key type.

AWS Secrets Manager

Use the private key stored in AWS Secrets Manager. Supports BLS keys for consensus layer signing.

type: "aws-secret"
authenticationMode: "SPECIFIED"
keyType: "BLS"
accessKeyId: "foo"
secretAccessKey: "bar"
secretName: "SecretName"
region: "us-west-2"
KeyDescription
typeType of configuration file. Use aws-secret.
authenticationModeAuthentication type being used. Valid options are ENVIRONMENT and SPECIFIED. If using ENVIRONMENT, credentials are authenticated using the default credential provider chain. The default authentication type is SPECIFIED.
keyTypeSigning key type. Use BLS.
accessKeyIdYour access key ID.
secretAccessKeyYour secret access key.
secretNameName of the secret.
regionRegion to connect to.

AWS Key Management Service

Use the private key stored in AWS Key Management Service (KMS). Supports SECP256K1 keys for execution layer signing.

type: "aws-kms"
authenticationMode: "SPECIFIED"
accessKeyId: "acc_key_id"
secretAccessKey: "foo"
sessionToken: "sess_token"
kmsKeyId: "bar"
region: "us-east-2"
endpointOverride: "http://localhost:4566"
KeyDescription
typeType of configuration file. Use aws-kms.
authenticationModeAuthentication type being used. Valid options are ENVIRONMENT and SPECIFIED. If using ENVIRONMENT, credentials are authenticated using the default credential provider chain. The default authentication type is SPECIFIED.
accessKeyIdAccess key ID.
secretAccessKeySecret access key.
sessionTokenToken provided by AWS Security Token Service (STS). Optional depending on AWS configuration.
kmsKeyIdAWS Access Key ID to authenticate AWS KMS.
regionRegion to connect to.
endpointOverrideEndpoint override for AWS KMS. Useful for local testing against LocalStack.