Virtual Signer

The Virtual Signer is a server-side application that uses Multi-Party Computation (MPC) and can run within AMD SEV-SNP secure enclaves on AWS or self-hosted on bare metal hardware. It automates digital signature operations by collaborating with other MPC devices, maintaining high security while supporting automated workflows without exposing private keys.

It integrates with io.vault and io.network, coordinating with onboarded devices to securely generate key shares, reshuffle keys, and sign transactions. Approvals can be configured through API calls, smart contracts, or biometric confirmations via the io.vault mobile app – enabling a seamless, policy-driven signing process.

Deployment Options

The Virtual Signer supports two deployment models:

AWS Deployment: Runs within AMD SEV-SNP secure enclaves. Secure enclaves (also known as TEEs) are hardened environments where the application code, its memory and data are inaccessible from outside the program. AMD SEV-SNP provides hardware-based memory encryption and attestation.

To deploy on AWS, navigate to our Deploy on AWS page to generate a runnable CloudFormation template for your account.

Self-Hosted Deployment: Runs on standard bare metal hardware without requiring special security enclaves. While this deployment model doesn't provide hardware-based memory encryption, it offers full control over the infrastructure and is suitable for development environments or scenarios where hardware security is managed through other means.

In both deployment models, the Virtual Signer reads and writes sensitive data, including private keys and private shares, with encryption at rest and secure key management practices.

For more information on AMD SEV-SNP see AMD SEV-SNP for Amazon EC2 instances. For self-hosted deployment instructions, see Deploy Self-Hosted.

Transaction Flow

Let us consider 3 operations of the Virtual Signer: key generation, resharing and signing.

In each operation, the Virtual Signer queries a backend to fetch requests waiting for approval. The Virtual Signer, in turn, forwards each request to an external application (external API or io.network Smart Contract) for approval or rejection. A successful reply is considered an approval vote.

Once quorum is formed by collecting enough approvals, the io.vault makes the operation available to the Virtual Signer. The operation is performed by multiple parties, which may be a combination of Virtual Signer devices and/or mobile devices. All of these devices must have approvals locally registered through either the API approver, Smart Contract or human biometric verification via the io.vault apps.

For example, an io.network transaction may be approved by one or more Virtual Signers, or it may rely entirely on manual approvals from mobile devices. The requirements for a vault depend on the vault's configuration, managed through app.iofinnet.com.

The Virtual Signer retrieves the corresponding transaction request, participates in MPC-TSS with the approved devices to generate a signature for the transaction, and sends it to the backend, which broadcasts the signed transaction to the target blockchain.

Finally, resharing is the action of reshuffling the shares to bring in new signers, or remove ones that are no longer needed. This keep the existing private key, but key shares are re-created across the devices. This action is performed on the io.vault web dashboard, or via our API.

Approval Modes

The Virtual Signer supports several Policy Modes when processing transactions.