Skip to main content
The signer reads one file, <home>/kms.yaml, at startup. Relative paths anywhere in the file resolve against the --home directory. Validation runs at kms start; a rejected field is named in the error. For task-shaped setup, see Configure a signing backend; this page is the complete field list.

chains

Declares one chain to sign for. One entry per chain.

validators

Declares one outbound connection to a validator node’s privval listener. A chain can have multiple entries, for example a primary and a backup node.

keys

Binds one signing key to one or more chains. Each chain must be backed by exactly one key. The backend field selects the custodian, and the remaining fields depend on it; fields belonging to other backends are ignored. Fields shared by every backend: Consensus signing supports ed25519 on every backend, secp256k1 on the AWS KMS backend, and secp256k1eth and mldsa65 on the file backend. The algorithm name mldsa65 has no underscores; the chain-side key type ml_dsa_65 does.

backend: file

A key read from disk into memory. Development and testing only; the key is held in plaintext.

backend: pkcs11

A key on a PKCS#11 token or HSM. Signing happens on-device; the signer uses an existing key and never generates or imports one.

backend: awskms

A key held in AWS KMS. Signing happens through the KMS Sign API; credentials resolve through the AWS default credential chain, and no secret material appears in the config.

grpc

Optional. When present, the signer also serves the SignerService gRPC API alongside privval. Its usage documentation ships with the interoperability release; the fields are listed here for completeness. Each grpc.keys entry:
The gRPC server performs no caller authentication or authorization. Any client that can reach the listener can use every configured key. Restrict access with TLS and network controls.

Constraints checked at startup

  • Every validators[].chain_id and every entry in keys[].chain_ids must match a declared chains[].id.
  • Each chain must be backed by exactly one key.
  • PKCS#11 keys must select the token with exactly one of token_label or slot, select the key with key_label or key_id, and supply exactly one PIN source.

Next steps