Prerequisites
The recommended system specification for deploying a Virtual Signer
This is what you will need to get up and running with a Virtual Signer linked to your io.vault.
- A server that meets the minimum or recommended requirements below.
- Firewalls and other appropriate security measures enabled. We recommend disabling all incoming ports except SSH or whichever you need to access your instance remotely. Set up appropriate SSH brute force protection and disable root logins.
- An API key created from your io.vault dashboard to be entered into the environment variables settings of the Virtual Signer.
- A web hook set up in your backend infrastructure to handle incoming approval request calls from the Virtual Signer, or a smart contract that handles approvals. See the Approvals in API mode and Approvals via Smart Contracts sections for more information.
The machine you decide to run this on should be appropriately hardened (disk encryption turned on, SSH keys required, no root login, etc.)
Deployment Requirements
AWS Deployment
Minimal Hardware Requirements
- AWS instance class C6A, Large (supports AMD SEV-SNP)
- 8GB EBS storage
- NAT Gateway for outbound connectivity
IAM Permissions Required
For CloudFormation deployment, you need an IAM user or role with the following permissions:
Core Services:
ec2:*
- Create and manage EC2 instances, security groups, and network interfacesecs:*
- Create and manage ECS clusters, services, and task definitionsiam:*
- Create service roles and instance profileskms:*
- Create and manage KMS keys for encryptions3:*
- Create and manage S3 buckets for storagesecretsmanager:*
- Store and retrieve sensitive configurationlogs:*
- Create CloudWatch log groups and streams
Networking:
vpc:*
- Create and manage VPC, subnets, and route tableselasticloadbalancing:*
- Manage load balancers (if used)route53:*
- Manage DNS records (if using Route53)
CloudFormation Specific:
cloudformation:*
- Create and manage stacksssm:*
- Store parameters in Systems Manager
Monitoring and Management:
cloudwatch:*
- Create dashboards and alarmsautoscaling:*
- Manage auto-scaling groupstag:*
- Apply resource tags for cost allocation
Minimal IAM Policy Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"ec2:*",
"ecs:*",
"iam:*",
"kms:*",
"s3:*",
"secretsmanager:*",
"logs:*",
"ssm:*",
"autoscaling:*"
],
"Resource": "*"
}
]
}
Note: For production deployments, follow the principle of least privilege and scope permissions to specific resources where possible.
Self-Hosted Deployment
Minimal Hardware Requirements
- 4 CPU cores (8 recommended)
- 8GB RAM (16GB recommended)
- 100GB SSD storage
- Ubuntu 20.04 LTS or compatible Linux distribution
- Docker 20.10+ and Docker Compose 2.0+
Networking Requirements
You may deploy a firewall to enable outbound access only to the following trusted and TLS-enabled endpoints.
mqtt.vault.iofinnet.com
, port8084
, TCPapi.iofinnet.com
, port443
, TCP- Host and port defined by
ExternalReshareApprovalURL
in configuration ifApprovalMode
is "API", TCP - Host and port defined by
ExternalTransactionApprovalURL
in configuration ifApprovalMode
is "API", TCP - Host and port defined by
ApprovalNodeRPCAddress
in configuration ifApprovalMode
is "SmartContract", TCP
For inbound access, enable the port defined by Port
in configuration, TCP. That is only required if new Virtual Signer
devices besides the initial one will be registered using the Virtual Signer API.
Updated 3 days ago