Guides

Data Storage and Backup

Your Virtual Signer reads and writes important data used to secure your assets

Suggest Edits

The Virtual Signer writes sensitive data such as key shares to the disk where it runs, and other sensitive data are kept in files that must be accessible by the app at all times, even after system restarts. These files are encrypted, but it is important to persist these files in between container restarts, so that the data is not deleted.

The preferred way to persist these files is to use mapped Docker volumes. Once a volume is linked, the Virtual Signer will manage its own filesystem within the volume.

Keep in mind that data is encrypted at rest, and during use, at all times. Nobody is able to read this data as it is secured by the Intel SGX enclave hardware.

📘

Important: Hardware Consistency

Due to the use of Intel SGX for data encryption (also known as "sealing"), the server CPU contains the encryption keys burned into its physical chip. Therefore, changing your server's CPU or moving your data over to a server with a different CPU will render the Virtual Signer data invalid.

Therefore, you must stay with the same hardware when running an SGX Virtual Signer, and be sure to perform a full reshare in your vault's settings when moving to new hardware.

📘

Important: Data Backup

If the volume attached to your Docker container is deleted at any point or fails due to a hardware issue, your Virtual Signer will be unable to participate in signing and you will have to use your redundant mobile device signers to reshare the Virtual Signer out of the vault, and then replace it with a new one.

Another consequence of a deleted volume will be that upon restart the Virtual Signer will not find any devices. If InitialDevice is defined in Configuration, a new device will be created with a new identifier. This will be an entirely new signer with no existing shares.

Be sure to always set up an appropriate back up and restore strategy for data, as you would with any other important server. It is strongly recommended that you do regular drills to make sure that the backup data is accessible and valid over time.

Updated 4 days ago