Prerequisites

The recommended system specification for deploying a Virtual Signer

This is what you will need to get up and running with a Virtual Signer linked to your io.vault.

  • A server that meets the minimum or recommended requirements below.
  • Firewalls and other appropriate security measures enabled. We recommend disabling all incoming ports except SSH or whichever you need to access your instance remotely. Set up appropriate SSH brute force protection and disable root logins.
  • An API key created from your io.vault dashboard to be entered into the environment variables settings of the Virtual Signer.
  • A web hook set up in your backend infrastructure to handle incoming approval request calls from the Virtual Signer, or a smart contract that handles approvals. See the Approvals in API mode and Approvals via Smart Contracts sections for more information.

Your machine should be appropriately hardened (disk encryption turned on, SSH keys required, no root login, etc.), and meet the following requirements:

Minimal Requirements

  • Linux OS. Ubuntu 22.04 LTS or greater with the latest security updates applied
  • Docker version 20.10+
  • 4GB RAM+ with swap
  • Intel Xeon CPU with SGX support (check here)
  • 20 GB+ SSD storage
  • Latest Intel micro-code (BIOS update). This is automatically applied on Microsoft Azure.

On Azure, we have tested a minimal system with Standard_DC1s_v2 instances on a DCsv2-Type1 Dedicated Host.

This host type is able to run 6 isolated virtual signers, each in their own Standard_DC1s_v2 VM instance.
This offers great security, as it means that your signers will run within several layers of defense (SGX, the Docker container, the VM itself and the Dedicated Host).

Recommended Requirements for High-Throughput

  • Linux OS. Ubuntu 22.04 LTS or greater with the latest security updates applied
  • Docker version 20.10+
  • 8GB RAM+ with swap
  • 8-core+ Intel Xeon CPU with SGX support, such as Intel Xeon E-2288G (check here)
  • 20 GB+ SSD storage
  • Latest Intel micro-code (BIOS update). This is automatically applied on Microsoft Azure.

On Azure, we have tested a recommended system with a Standard_DC2s_v2 instance on a DCsv2-Type1 Dedicated Host.

This host type is able to host 3 isolated virtual signers, each in their own Standard_DC2s_v2 VM instance.

As with the minimal requirements above, it's best not to share VM instances for security reasons. If you would like to, it's possible to host several Virtual Signers on one VM instance and share its resources.

Networking Requirements

You may deploy a firewall to enable outbound access only to the following trusted and TLS-enabled endpoints.

  • mqtt.vault.iofinnet.com, port 8084, TCP
  • api.iofinnet.com, port 443, TCP
  • Host and port defined by ExternalReshareApprovalURL in configuration if ApprovalMode is "API", TCP
  • Host and port defined by ExternalTransactionApprovalURL in configuration if ApprovalMode is "API", TCP
  • Host and port defined by ApprovalNodeRPCAddress in configuration if ApprovalMode is "SmartContract", TCP

For inbound access, enable the port defined by Port in configuration, TCP. That is only required if new Virtual Signer
devices besides the initial one will be registered using the Virtual Signer API.