Ethereum 2.0 Remote Signing with

This is part 2 of the Ethereum 2.0 key management post

Remote signer powered by

When you opt to running a remote signer, you keep complete control of your validation key. For this reason, you must spin up a virtual machine with the remote signer on a cloud platform that you fully control yourself. Not to worry, our solution makes it simple to do so.

Our remote signer solution is a Digital Ocean Basic Droplet costing $10/mo.

When you are ready, we give you a shell command to deploy a Digital Ocean VM with custom user-data. The VM comes online and automatically sets itself up as a remote signer.

Your public and private validation keys are passed to the virtual machine as environment variables. We give you instructions to extract these keys from your validator keystore that you generated during onboarding.

The Droplet is configured with a Cloud Firewall to only accept inbound signing connections and ssh connections using a key pair. It has a static IP address.

The connection from the validator setup to the remote signer is TLS encrypted and the firewall is additionall restricted to the IP range of the validator setup for additional security. monitoring infrastructure verifies that the signer is operational by periodically sending HTTP keepalives and sends a Slack message to the operator if there is an issue with the signing VM.

The remote signer runtime is based on the remote-signer-ts project from EthPOS. It supports any number of keys.

If the VM needs to be upgraded to support additional keys or a new version of the sofware, the same procedure can be applied again, in coordination with in case the IP address of the virtual machine changes.