Web3Signer setup guide

What is Web3Signer?

Web3Signer is an open-source signing service developed under the Apache 2.0 license and written in Java. Web3Signer is capable of signing on multiple platforms using private keys stored in an external vault, or encrypted on a disk.

It is an innovative tool designed to enhance security and simplify the process of signing transactions in web3 applications. With Web3Signer, developers can seamlessly integrate external wallets or vaults into their decentralized applications, ensuring robust protection for private keys and providing users with a seamless and secure transaction signing experience.

This tool streamlines the signing process and offers enhanced security measures, making it a valuable asset for developers and users in the Web3 ecosystem. Learn more

To set up Web3Signer, follow these steps:

Step 1: Setting up the binary

Web3Signer offers two setup options: Docker mode or running it natively with a binary.

For Docker mode, refer to the following documentation: https://docs.web3signer.consensys.net/HowTo/Get-Started/Use-Docker
To set it up in native mode, follow the instructions provided in this documentation: https://docs.web3signer.consensys.net/HowTo/Get-Started/Start-Web3Signer

Step 2: Enable signing mode

The signing mode of your Web3signer should be consensus layer client mode. To enable this signing mode simply add "eth2" after the web3signer command. For example: web3signer <commands> eth2 <sub commands>
To explore the available commands that can be used with web3signer in eth2 mode, you can run web3signer eth2 --help. This will provide you with a list of possible commands and their usage.

Step 3: Setup slashing protection

When integrating Web3Signer with your validator client, it is highly recommended to set up slashing protection. Slashing protection ensures that validators do not sign duplicate attestations or blocks, preventing potential double signing issues.

To enable slashing protection with Web3Signer, the node operator needs to maintain a PostgreSQL database that can be shared among multiple instances of Web3Signer. This enables efficient slashing protection across the network.

For a detailed understanding of slashing protection, please refer to the following documentation: https://docs.web3signer.consensys.net/Concepts/Slashing-Protection
Find the relevant commands for setting up slashing protection in the following documentation: https://docs.web3signer.consensys.net/Reference/CLI/CLI-Subcommands#slashing-protection-db-url

Step 4: Setting up the Keys

To determine the storage location for your keys in Web3Signer, you need to create a configuration file that specifies the desired storage location. This configuration file can then be passed to Web3Signer using the following flag: https://docs.web3signer.consensys.net/Reference/CLI/CLI-Syntax#key-store-path
For detailed instructions on how to curate the configuration file and to learn about the supported platforms for Web3Signer, please refer to this documentation: https://docs.web3signer.consensys.net/Reference/Key-Configuration-Files

Step 5: Host Whitelisting

To restrict access to the web3signer instance you have set up, you can create a whitelist of permitted hosts. This ensures that only specified hosts can make use of the web3signer's REST API.

To set up the host whitelist, you can utilize the allowlist command. This command enables you to specify the hosts that are allowed to access the REST API. For more detailed information on using this command, please refer to the following documentation: https://docs.web3signer.consensys.net/Reference/CLI/CLI-Syntax#http-host-allowlist

Step 6: Connecting To Validator Clients

After setting up your web3signer, it is highly advisable to establish a connection between web3signer and your running validator client. This connection is crucial to prevent duplicate keys. Typically, you would have one key imported with the validator client and a duplicate copy stored on platforms like AWS KMS or Hashicorp Vault. This is an inconvenient situation which can potentially cause double slashing.

To seamlessly connect web3signer with your validator clients, please refer to the provided documentation for detailed instructions and guidelines. Following these instructions will ensure a smooth and secure integration between web3signer and your validator clients.

For lighthouse - https://lighthouse-book.sigmaprime.io/validator-web3signer.html
For Nimbus - https://nimbus.guide/keymanager-api.html
For Prysm - https://docs.prylabs.network/docs/wallet/web3signer
For Teku - https://docs.teku.consensys.net/how-to/use-external-signer/use-web3signer

Need further help?

For a comprehensive tutorial on setting up web3signer and establishing a connection with your validator client, we recommend following this resource: https://docs.web3signer.consensys.net/Tutorials/Launchpad-Keystores

PreviousPre-requisite for permissioned node operators NextNode registration and adding validators

Last updated 11 months ago