<home>/kms.yaml, at startup. Relative paths anywhere in the file resolve against the --home directory. Validation runs at kms start; a rejected field is named in the error.
For task-shaped setup, see Configure a signing backend; this page is the complete field list.
chains
Declares one chain to sign for. One entry per chain.validators
Declares one outbound connection to a validator node’s privval listener. A chain can have multiple entries, for example a primary and a backup node.keys
Binds one signing key to one or more chains. Each chain must be backed by exactly one key. Thebackend field selects the custodian, and the remaining fields depend on it; fields belonging to other backends are ignored.
Fields shared by every backend:
Consensus signing supports
ed25519 on every backend, secp256k1 on the AWS KMS backend, and secp256k1eth and mldsa65 on the file backend. The algorithm name mldsa65 has no underscores; the chain-side key type ml_dsa_65 does.
backend: file
A key read from disk into memory. Development and testing only; the key is held in plaintext.backend: pkcs11
A key on a PKCS#11 token or HSM. Signing happens on-device; the signer uses an existing key and never generates or imports one.backend: awskms
A key held in AWS KMS. Signing happens through the KMS Sign API; credentials resolve through the AWS default credential chain, and no secret material appears in the config.grpc
Optional. When present, the signer also serves the SignerService gRPC API alongside privval. Its usage documentation ships with the interoperability release; the fields are listed here for completeness.
Each
grpc.keys entry:
Constraints checked at startup
- Every
validators[].chain_idand every entry inkeys[].chain_idsmust match a declaredchains[].id. - Each chain must be backed by exactly one key.
- PKCS#11 keys must select the token with exactly one of
token_labelorslot, select the key withkey_labelorkey_id, and supply exactly one PIN source.
Next steps
- Task-shaped backend setup. See Configure a signing backend.
- First-time setup end to end. See Remote signing tutorial.