Self-Hosting

The Virtual Signer self-hosted deployment provides a flexible, Docker-based architecture that runs on standard bare metal Linux servers. This deployment model offers complete infrastructure control while maintaining robust security through software-based protection mechanisms and industry best practices.

Key Components

The self-hosted Virtual Signer infrastructure operates as a containerised application with several integrated components working together to provide secure signing capabilities without requiring specialised hardware.

Container Architecture

The infrastructure centres on Docker containers which provide application isolation and consistent deployment across different environments. The Virtual Signer runs as a single container with configurable resource limits, ensuring predictable performance and preventing resource exhaustion. Docker Compose orchestrates the container lifecycle, managing configuration, networking, and volume mounts through declarative YAML specifications. The container runtime provides process isolation, namespace separation, and cgroup-based resource management.

Networking Layer

The networking infrastructure operates through Docker bridge networks which provide network isolation between containers and the host system. Port mappings expose only the necessary services, with the Virtual Signer API typically on port 8180 and Prometheus metrics on port 9480. Firewall configuration using iptables or UFW restricts access to authorised sources, implementing defence-in-depth network security. All outbound connections use standard TCP protocols to communicate with io.vault services and blockchain endpoints.

Storage Layer

The storage architecture relies on host-mounted volumes that persist data between container restarts and updates. Three primary volumes handle different data types: the data volume stores encrypted keys and operational state, the logs volume maintains audit trails and debugging information, and the config volume holds runtime configuration and environment-specific settings. File system encryption using LUKS or similar technologies provides encryption at rest for sensitive data on the host system.

Security Layer

Self-hosted deployments can optionally use AMD SEV-SNP available on AMD EPYC server CPU packages for in-memory encryption with a hardware root of trust.

Software-Based Security Model

Without hardware security enclaves like AMD SEV-SNP, self-hosted deployments rely on comprehensive software security measures to protect sensitive operations.

Encryption Architecture

The Virtual Signer implements multiple encryption layers to protect data throughout its lifecycle. Application-level encryption ensures all sensitive data is encrypted before storage using industry-standard algorithms. TLS/SSL communication secures all network traffic between the Virtual Signer and external services. Key derivation functions protect stored keys using strong password-based encryption when hardware security modules are unavailable. Encrypted volumes at the host level provide an additional protection layer for data at rest.

Access Control

Access control mechanisms ensure only authorised operations can be performed. API authentication using client certificates or API keys validates all incoming requests. Role-based access control limits operations based on the authenticated entity's permissions. IP allowlisting through firewall rules restricts network access to known sources. Rate limiting prevents abuse and protects against denial-of-service attempts.

Audit and Compliance

Comprehensive logging and monitoring support security auditing and compliance requirements. Structured logging in JSON format enables automated log analysis and threat detection. Immutable audit trails record all security-relevant events including authentication attempts, key operations, and configuration changes. Log rotation and archival policies ensure logs are retained according to compliance requirements while managing disk space. Security event correlation identifies potential threats through pattern analysis across multiple log sources.

Infrastructure Requirements

Self-hosted deployments require careful consideration of infrastructure capabilities to ensure reliable operation.

Compute Resources

The Virtual Signer requires sufficient CPU and memory resources for cryptographic operations. A minimum of 4 CPU cores handles basic workloads, though 8 cores are recommended for production environments with higher transaction volumes. Memory requirements start at 8GB RAM for development environments, with 16GB recommended for production to handle peak loads and provide headroom for the operating system and monitoring tools. The container's resource limits should be configured to prevent any single instance from exhausting host resources.

Network Infrastructure

Reliable network connectivity is essential for MPC coordination and blockchain interactions. Low-latency connections to io.vault services ensure timely participation in multi-party computations. Stable internet connectivity prevents disruptions during critical signing operations. Sufficient bandwidth handles both regular operations and periodic peaks during key generation or resharing events. Network redundancy through multiple internet connections or failover mechanisms improves availability.

Storage Performance

Storage performance impacts both operational efficiency and recovery capabilities. SSD storage provides the IOPS necessary for responsive key operations and log writing. Sufficient capacity accommodates growth in stored keys, operational data, and retained logs. Regular backups to separate storage systems enable disaster recovery. Storage redundancy through RAID or similar technologies protects against disk failures.

Monitoring and Observability

Self-hosted deployments expose comprehensive metrics while requiring external systems for aggregation and visualisation.

Prometheus Metrics

Each Virtual Signer instance exposes Prometheus-compatible metrics on a dedicated port, providing real-time operational visibility. Application metrics track signing operations, key generation, reshare participation, and vault synchronisation status. Performance metrics measure request latency, operation duration, queue depths, and throughput rates. Resource metrics monitor container CPU usage, memory consumption, file descriptor usage, and network connections. Security metrics count authentication attempts, authorisation decisions, policy evaluations, and detected anomalies.

External Monitoring Systems

Self-hosted deployments require external monitoring infrastructure for metrics aggregation and alerting. Prometheus Server deployment on separate infrastructure scrapes metrics from Virtual Signer instances at regular intervals. Grafana dashboards visualise metrics with customisable panels showing operational health, performance trends, and security events. AlertManager processes alerting rules to notify operators of critical conditions, performance degradation, or security concerns. Time-series databases like InfluxDB or TimescaleDB provide long-term metrics storage for capacity planning and trend analysis.

Log Management

Centralised log management enables effective troubleshooting and security analysis. Log aggregation tools like Elasticsearch, Fluentd, or Loki collect logs from multiple Virtual Signer instances. Log analysis platforms provide search capabilities, pattern detection, and correlation across different log sources. Log retention policies balance storage costs with compliance requirements and operational needs. Security information and event management (SIEM) integration enables advanced threat detection and incident response.

Deployment Considerations

Self-hosted deployments offer flexibility but require careful planning and ongoing operational management.

High Availability

Achieving high availability in self-hosted environments requires redundancy at multiple levels. Multiple Virtual Signer instances participate in the same vault to ensure continued operation if one instance fails. Geographic distribution across different data centres or availability zones protects against site failures. Load balancing distributes requests across healthy instances while detecting and removing failed nodes. Automated failover mechanisms minimise downtime during infrastructure maintenance or unexpected failures.

Scaling Strategies

Self-hosted deployments must plan for capacity growth and peak demands. Vertical scaling through hardware upgrades provides immediate capacity increases but has practical limits. Horizontal scaling by adding Virtual Signer instances offers better long-term scalability and redundancy. Resource monitoring identifies bottlenecks before they impact service availability. Capacity planning based on growth projections ensures infrastructure keeps pace with demand.

Backup and Recovery

Comprehensive backup strategies protect against data loss and enable disaster recovery. Regular automated backups capture Virtual Signer data, configuration, and logs at scheduled intervals. Backup verification through test restores ensures backups are valid and complete. Offsite backup storage protects against site disasters and provides geographic redundancy. Recovery procedures documented and tested regularly minimise downtime during restoration. Point-in-time recovery capabilities enable restoration to specific moments before issues occurred.

Cost Considerations

Self-hosted deployments involve different cost structures compared to cloud deployments.

Infrastructure Costs

Hardware procurement represents upfront capital expenditure for servers, networking equipment, and storage systems. Data centre costs include rack space, power, cooling, and network connectivity. Redundant infrastructure doubles certain costs to achieve high availability. Upgrade cycles require periodic hardware refresh to maintain performance and security.

Operational Costs

Personnel costs for system administrators, security engineers, and operations staff represent ongoing expenses. Monitoring tools and log management platforms may require licensing fees. Security tools including vulnerability scanners and SIEM systems add to operational overhead. Compliance audits and certifications involve both internal effort and external assessor fees.

Total Cost of Ownership

Organisations must evaluate the complete cost picture when choosing self-hosted deployment. Existing infrastructure utilisation can reduce incremental costs for organisations with available capacity. Compliance requirements may mandate on-premises deployment regardless of cost considerations. Operational expertise within the organisation affects the resources needed for successful deployment. Scale considerations determine whether self-hosting becomes more economical than cloud deployment at certain volumes.

Security Best Practices

Self-hosted deployments must implement comprehensive security measures to protect against threats.

Host Hardening

The underlying host system requires security hardening before deploying the Virtual Signer. Operating system hardening includes disabling unnecessary services, removing default accounts, and applying security patches promptly. Kernel security modules like SELinux or AppArmor provide mandatory access controls and prevent privilege escalation. Intrusion detection systems monitor for suspicious activity and unauthorised changes. Regular security updates through automated patch management keep systems protected against known vulnerabilities.

Network Security

Network security controls protect the Virtual Signer from external threats. Network segmentation isolates the Virtual Signer in dedicated network zones with controlled access. Deep packet inspection identifies and blocks malicious traffic patterns. DDoS protection prevents volumetric attacks from overwhelming the service. VPN access for administrative operations ensures management traffic is encrypted and authenticated.

Operational Security

Operational practices maintain security throughout the deployment lifecycle. Access reviews regularly verify that only authorised personnel have system access. Security scanning identifies vulnerabilities in containers, dependencies, and configurations. Incident response procedures ensure rapid containment and recovery from security events. Security training keeps operations staff aware of threats and best practices.

Migration and Upgrades

Self-hosted deployments require careful planning for migrations and upgrades to maintain service availability.

Version Management

Container image versioning ensures deployments use tested, stable releases rather than latest tags. Rollback capabilities enable quick reversion to previous versions if issues arise. Staging environments validate new versions before production deployment. Change management processes control when and how updates are applied.

Data Migration

Backup before migration ensures recovery options if migration encounters issues. Migration testing in non-production environments validates procedures and identifies potential problems. Incremental migration approaches minimise risk by moving workloads gradually. Validation procedures confirm data integrity and functionality after migration.