Skip to main content

Remote Signer

The Remote Signer mode lets you isolate validator signing keys from the Operator Service. Instead of storing keystores locally, the Operator queries a remote signer like Web3Signer ↗1 for deposit and exit message signatures.

Prerequisites

Complete the following steps before proceeding:

  1. Installation → completed
  2. Validators Manager → set
  3. Web3Signer ↗ running and accessible at your specified URL

Setup Remote Signer

Upload the keystores to a remote signer. If you already have private keys uploaded to the remote signer, proceed to Start Operator Service below.

Example Usage

./operator setup-remote-signer
Example Output
Enter your vault address: 0xf82f6e46d0d0a9536b9ca4bc480372eeafcd9e6c
Enter the URL of the remote signer (e.g. https://signer:9000): https://localhost:9000
Successfully imported 10 keys into remote signer.
Remove local keystores? [y/N]: y
Removed keystores from local filesystem.
Done. Successfully configured operator to use remote signer for 10 public key(s)!

setup-remote-signer flags

FlagDescription
--remote-signer-urlURL of the remote signer
--vaultVault address
--dappnodeUse with Dappnode Staking Brain. Requires --execution-endpoints
--execution-endpointsComma-separated execution node API endpoints. Used to retrieve the Vault validator fee recipient. Required with --dappnode
--data-dirPath where Vault data is stored. Default: ~/.stakewise
--keystores-dirDirectory with validator keys in EIP-2335 ↗ format

Start Operator Service

Provide the operator with the URL to your remote signer instance using the --remote-signer-url flag:

./operator start-remote-signer \
  --vault=0x834F27bC8670491b75af512d943f01D5383F87Cf \
  --consensus-endpoints=https://consensus-node \
  --execution-endpoints=https://execution-node \
  --remote-signer-url=https://remote-signer:9000

You should see a message similar to this one after starting the operator:

Using remote signer at http://remote-signer:9000 for 20 public keys

This setup supports various optional flags to provide more flexibility and customization. See all available options in the Start Operator → setup.

1. Web3Signer is an open-source remote signing service developed by Consensys, which can sign payloads using secp256k1 and BLS12-381 keys. It supports keys stored either in external vaults or encrypted on disk, and is designed for use with both the Ethereum execution layer and consensus layer.

Last updated on