Configuration

The virtual signer can be configured with environment variables during deployment.

Note: The VS_* prefix is preferred for all environment variables. Legacy EDG_VS_* variables are supported for backward compatibility.

Contact your io.finnet representative for more information if you would like to understand more about these options.

Configuration	Description
Port `VS_Port` Integer	The TCP port opened by the Virtual Signer, part of the URL exposed for device registration.
MPCCoreHost `VS_MPCCoreHost` String	The host name, that will be used by Virtual Signer light instance, to connect to Virtual Signer server instance.
MPCCorePort `VS_MPCCorePort` Integer	Port number, that will be used by Virtual Signer light instance, to connect to Virtual Signer server instance.
LogLevel `VS_LogLevel` String	The log level of the Virtual Signer. Valid values are `"info"` or `"debug"`.
OrgId `VS_OrgId` String	Optional. The organization ID used when registering a device on launch. Required if `InitialDevices` is defined.
InitialDevice `VS_INITIAL_DEVICE` String	Optional. Device name to be registered on launch. Requires `OrgId`.
AuthClientId `VS_AuthClientId` String	The client ID used for authentication along with `AuthClientSecret`.
AuthClientSecret `VS_AuthClientSecret` String	The client secret used for authentication with `AuthClientId`.
ApprovalMode `VS_ApprovalMode` String	Determines approval mechanism. Valid values: `"API"`, `"SmartContract"`, or `"AlwaysApprove"`.
ExternalReshareApprovalURL `VS_ExternalReshareApprovalURL` String	The URL of a user API that approves or rejects reshare requests. Required if `ApprovalMode="API"`.
ExternalTransactionApprovalURL `VS_ExternalTransactionApprovalURL` String	The URL of a user API that approves or rejects transactions. Required if `ApprovalMode="API"`.
ApprovalHTTPPublicKeyHex `VS_ApprovalHTTPPublicKeyHex` String	The EdDSA P256 public key (hex-encoded) used to verify HTTP responses from the user API when `ApprovalMode="API"`.
ApprovalNodeRPCAddress `VS_ApprovalNodeRPCAddress` String	Required for `"SmartContract"` mode. RPC address of an Ethereum or io.network node.
ApprovalSmartContractAddress `VS_ApprovalSmartContractAddress` String	Required for `"SmartContract"` mode. Smart contract address in hex (`"0x..."`) that approves/rejects requests.
PrometheusPort `VS_PrometheusPort` Integer	Optional.

Cloud Storage Configuration

For AWS and Azure deployments, cloud blob storage can be used instead of local filesystem storage.

Configuration	Description
STORAGE_BUCKET_URL `STORAGE_BUCKET_URL` String	Cloud storage URL. Examples: AWS S3: `s3://bucket-name?region=us-east-1` Azure Blob: `azblob://container-name` S3-Compatible: `s3://bucket?endpoint=https://minio.local` When not set, filesystem storage is used (`/var/vsigner`).

Recommended: For AWS S3, enable bucket encryption using a customer-managed key in AWS KMS.

Azure Secure Key Release (SKR) Configuration

For Azure deployments, SKR provides hardware-attested encryption for data at rest. SKR is automatically enabled when all three required parameters are set.

Configuration	Required	Description
`VS_SKR_AKV_ENDPOINT`	Yes*	Azure Key Vault URL (e.g., `https://your-vault.vault.azure.net`)
`VS_SKR_MAA_ENDPOINT`	Yes*	Azure Attestation URL (e.g., `https://sharedeus.eus.attest.azure.net`)
`VS_SKR_KEY_ID`	Yes*	Key identifier in Azure Key Vault (exportable symmetric key)
`VS_SKR_ENDPOINT`	No	SKR sidecar endpoint (default: `http://localhost:8080`)
`VS_SKR_ACCESS_TOKEN`	No	Bearer token for sidecar auth (when managed identity unavailable)

* Required to enable SKR. When all three are set, SKR encryption is automatically enabled.

Self-Hosted Encryption at Rest

For self-hosted deployments without Azure infrastructure, you can enable encryption at rest using a static AES-256-GCM key.

Configuration Description

Configuration	Description
`VS_ENCRYPTION_KEY`	Hex-encoded 32-byte (64 character) AES-256 key for encrypting data at rest. Generate with: `openssl rand -hex 32`

VS_ENCRYPTION_KEY

Hex-encoded 32-byte (64 character) AES-256 key for encrypting data at rest.

Generate with: openssl rand -hex 32

Important: Store this key securely (e.g., Docker secrets, HashiCorp Vault). If lost, encrypted data cannot be recovered.

Note: VS_ENCRYPTION_KEY and SKR (VS_SKR_*) are mutually exclusive. Use one or the other, not both.

Docker Compose example:

environment:
  # Generate with: openssl rand -hex 32
  VS_ENCRYPTION_KEY: "your-64-character-hex-key-here"

Backward compatibility: When encryption is enabled, the Virtual Signer can still read existing plaintext data. New writes are encrypted. Re-saving a file encrypts it opportunistically.