Sign transactions locally (for legacy wallets)
We offer a cutting-edge Key Management Server (KMS) that ensures total ownership and control of private keys for all assets in custody. Our KMS guarantees that Finrock’s backend servers cannot access any private keys, Mnemonic Phrases, or wallet seeds at any time.
Hosted on the client’s infrastructure, preferably within environments like AWS or Azure, the KMS performs all signing tasks securely. This setup ensures that private keys remain within the client’s controlled environment, never exposing them externally. This provides an uncompromised level of security for asset management and transactions.
EGRESS ONLY
The server or the VM where KMS is deployed must allow outbound traffic exclusively, any INGRESS (inbound) traffic must be blocked for all IPs (LAN, MAN, WAN).
The Cloud Signer (KMS) is available as a docker container via Docker Hub
docker pull finrock/ng-signer
Config.json file
{
"finrock_host": "https://sapi.finrock.io", // optional
"signer_node": "LEGACY", // optional & defaults to Legacy
"signer_id": "2df047e7-xxxxx-xxx-xxxxx-77673f0be16c", // Required
"rsa_prv_key": "ras-----xx", // Required
"srds": [
"YW1vdW50IGFixxxxxxxxxxxxxxxxxxxyIG1vb24=",
"YW11c2VkIGFiYW5kbxxxxxxxxxxxxRyZXNzIGdyZWF0"
]
}
{
"finrock_host": "https://sapi.finrock.io",
"signer_node": "MPC",
"signer_id": "2df047e7-xxxxx-xxx-xxxxx-77673f0be16c",
"rsa_prv_key": "ras-----xx",
"passphrase": "your-secret-password"
}
Starting Signer (detached container)
Use this mode to sign transactions. The software runs as a service and must be supplied with a Config file mounted to the docker container with read-only privileges.
Running with [docker run] command
docker run -d --restart always --name finrock \
-v "$(pwd)"/config.json:/app/config.json:ro \
finrock/ng-signer
docker run -d --restart always --name finrock \
-v "$(pwd)"/config.json:/app/config.json:ro \
-v "$(pwd)"/keystore:/app/keystore:ro \
finrock/ng-signer
Running as [docker-compose]
version: '3'
services:
signer:
image: finrock/ng-signer
container_name: finrock
restart: always
volumes:
- ./config.json:/app/config.json:ro
version: '3'
services:
signer:
image: finrock/ng-signer
container_name: finrock
restart: always
volumes:
- ./config.json:/app/config.json:ro
- ./keystore:/app/keystore:ro
Removing Signer
docker rm finrock -f
ENVs
| Variable | Wallet Type | Type | Default Value |
|---|---|---|---|
| FINROCK_SIGNER_MODE | Both | ENUM | LEGACY or MPC |
| FINROCK_SIGNER_ID | Both | uuid | Unique ID for signer from Finrock |
| FINROCK_RSA_PRV_KEY | Both | rsa-key | RSA Private Key |
| FINROCK_PASSPHRASE | MPC | string | passphrase to encrypt MPC keystore |
| FINROCK_MNEMONIC_PHRASE | Legacy | string | 12-word seed phrase |
| FINROCK_SECRET | Legacy | string | encrypted mnemonic phrase |
| FINROCK_API_HOST | Both | string | https://sapi.finrock.io [Default] |