Disaster Recover and Backup
Your Virtual Signer reads and writes important data used to secure your assets
The Virtual Signer writes sensitive data such as key shares to the disk where it runs, and other sensitive data are kept in files that must be accessible by the app at all times, even after system restarts. These files are encrypted, but it is important to persist these files in between container restarts, so that the data is not deleted.
Storage Backends
The Virtual Signer supports multiple storage backends for persisting encrypted keys and shares:
| Backend | Configuration | Use Case |
|---|---|---|
| Filesystem | (default) | Self-hosted deployments |
| AWS S3 | STORAGE_BUCKET_URL=s3://bucket?region=us-east-1 | AWS deployments |
| Azure Blob | STORAGE_BUCKET_URL=azblob://container | Azure deployments |
Data Organisation
Data is organised into subdirectories:
| Data Type | Path |
|---|---|
| Private Keys | private-keys/ |
| Private Shares | private-shares/ |
| Key Chain Data | private-keychain-general/ |
Azure SKR Encryption
For Azure deployments, Secure Key Release (SKR) provides hardware-attested encryption of stored data using keys released only to verified confidential containers.
Important: Disaster RecoveryYou must have a redundant set of mobile device signers to make sure that they are able to "take over" and recover access to a vault if the Virtual Signers are ever lost, damaged, or unable to be backed up.
Perform drills and air-gapped Disaster Recovery Process tests with your mobile signers to make sure that your team are familiar with the process of recovering access to a vault for if in the unlikely case this is ever needed, they are able to do it.
Updated 18 days ago