Prerequisites

The recommended system specification for deploying a Virtual Signer

This is what you will need to get up and running with a Virtual Signer linked to your io.vault.

  • A server that meets the minimum or recommended requirements below.
  • Firewalls and other appropriate security measures enabled. We recommend disabling all incoming ports except SSH or whichever you need to access your instance remotely. Set up appropriate SSH brute force protection and disable root logins.
  • An API key created from your io.vault dashboard to be entered into the environment variables settings of the Virtual Signer.
  • A web hook set up in your backend infrastructure to handle incoming approval request calls from the Virtual Signer, or a smart contract that handles approvals. See the Approvals in API mode and Approvals via Smart Contracts sections for more information.

The machine you decide to run this on should be appropriately hardened (disk encryption turned on, SSH keys required, no root login, etc.)

Deployment Requirements

AWS Deployment

Minimal Hardware Requirements

  • AWS instance class C6A, Large (supports AMD SEV-SNP)
  • 8GB EBS storage
  • NAT Gateway for outbound connectivity

IAM Permissions Required

For CloudFormation deployment, you need an IAM user or role with the following permissions:

Core Services:

  • ec2:* - Create and manage EC2 instances, security groups, and network interfaces
  • ecs:* - Create and manage ECS clusters, services, and task definitions
  • iam:* - Create service roles and instance profiles
  • kms:* - Create and manage KMS keys for encryption
  • s3:* - Create and manage S3 buckets for storage
  • secretsmanager:* - Store and retrieve sensitive configuration
  • logs:* - Create CloudWatch log groups and streams

Networking:

  • vpc:* - Create and manage VPC, subnets, and route tables
  • elasticloadbalancing:* - Manage load balancers (if used)
  • route53:* - Manage DNS records (if using Route53)

CloudFormation Specific:

  • cloudformation:* - Create and manage stacks
  • ssm:* - Store parameters in Systems Manager

Monitoring and Management:

  • cloudwatch:* - Create dashboards and alarms
  • autoscaling:* - Manage auto-scaling groups
  • tag:* - Apply resource tags for cost allocation

Minimal IAM Policy Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:*",
        "ec2:*",
        "ecs:*",
        "iam:*",
        "kms:*",
        "s3:*",
        "secretsmanager:*",
        "logs:*",
        "ssm:*",
        "autoscaling:*"
      ],
      "Resource": "*"
    }
  ]
}

Note: For production deployments, follow the principle of least privilege and scope permissions to specific resources where possible.

Self-Hosted Deployment

Minimal Hardware Requirements

  • 4 CPU cores (8 recommended)
  • 8GB RAM (16GB recommended)
  • 100GB SSD storage
  • Ubuntu 20.04 LTS or compatible Linux distribution
  • Docker 20.10+ and Docker Compose 2.0+

Networking Requirements

You may deploy a firewall to enable outbound access only to the following trusted and TLS-enabled endpoints.

  • mqtt.vault.iofinnet.com, port 8084, TCP
  • api.iofinnet.com, port 443, TCP
  • Host and port defined by ExternalReshareApprovalURL in configuration if ApprovalMode is "API", TCP
  • Host and port defined by ExternalTransactionApprovalURL in configuration if ApprovalMode is "API", TCP
  • Host and port defined by ApprovalNodeRPCAddress in configuration if ApprovalMode is "SmartContract", TCP

For inbound access, enable the port defined by Port in configuration, TCP. That is only required if new Virtual Signer devices besides the initial one will be registered using the Virtual Signer API.