The MPC Hot Signer is a containerized solution that enables automated transaction signing in your infrastructure. Built as an alternative to the Bron desktop application, it provides enterprise-grade security with flexible deployment options.
The MPC Hot Signer is currently in beta. Features and configurations may change in future releases. Monitor updates closely to ensure continued operation of your shards.

Prerequisites

Before deploying the MPC Hot Signer, ensure you have:
  1. API Key Setup: Create dedicated API keys following the API Key creation guide
  2. PostgreSQL Database: A running PostgreSQL instance for shard storage
  3. Container Runtime: Docker or Kubernetes environment
All shard secret material are stored encrypted in the database, but metadata like public keys and account IDs rely on PostgreSQL’s authentication mechanisms.

Quick Start

1

Prepare Your Environment

Create the necessary API keys for your MPC Hot Signer instance.
2

Deploy with Docker Compose

Use this Docker Compose configuration as a starting point for testing environments:
services:
  hot-signer:
    image: bronlabs/mpc-server:latest
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      # Instance identification that will appear in the Bron platform
      NAME: "HotSigner-01"

      PROMETHEUS_PORT: 9091

      # Bron API credentials
      API_KEY_ID: "your-api-key-id"
      API_KEY: "your-api-key-secret"

      # Database configuration
      POSTGRES_HOST: "postgres"
      POSTGRES_PORT: 5432
      POSTGRES_USER: "hot_signer"
      POSTGRES_PASSWORD: "secure-password-here"
      POSTGRES_DBNAME: "hot_signer"

      # Shard encryption options (check security configurations below)
      MASTER_PASSWORD: "YourSecureMasterPassword"
    restart: always
    healthcheck:
      test: ["CMD", "nc", "-z", "-v", "127.0.0.1", "9091"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 10s

  postgres:
    image: postgres:17.5
    environment:
      POSTGRES_USER: "hot_signer"
      POSTGRES_PASSWORD: "secure-password-here"
      POSTGRES_DB: "hot_signer"
    restart: always
    volumes:
      - ./postgresql-data:/var/lib/postgresql/data
    healthcheck:
      interval: 10s
      retries: 300
      test: pg_isready -U hot_signer -d hot_signer
      timeout: 3s
This example is for testing purposes only. Production deployments should use external PostgreSQL instances and enterprise-grade encryption options.
3

Start the Services

docker-compose up -d
The hot signer will automatically register with the Bron platform once successfully deployed.

Security Configuration

The MPC Hot Signer supports four encryption methods for protecting shard materials. Choose the option that best fits your security requirements:
Important Security Notes:
  • Encryption configuration cannot be changed after initialization without data loss
  • Each API key requires a separate database and encryption setup
  • Cloud KMS key deletion will permanently disable shard access
Amazon Key Management Service
environment:
  KMS_ENCRYPTION_KEY_ID: "arn:aws:kms:eu-west-1:000000000000:key/mrk-c6157253996d5a424c3a3c4a5b7b18ee"
  KMS_SIGNING_KEY_ID: "arn:aws:kms:eu-west-1:000000000000:key/mrk-9d4d9cffc2e4acaf1b38b6e595b07415"
  AWS_REGION: "eu-west-1"
  AWS_API_KEY: "AKIAIOSFODNN7EXAMPLE" # optional - not recommended
  AWS_API_SECRET: "JalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" # optional - not recommended
  AWS_API_SESSION: "AQoDYXdzEEQaD//////////wEaDD///////wBhAP//////////wA=" # optional - not recommended
Setup Instructions:Required AWS Resources:
  • RSA_4096 asymmetric encryption key
  • P256 asymmetric signing key
It’s recommended to create Multi-Region keys to allow replicate keys across regions.
Authentication (Recommended): Instead of using credential environment variables, configure your container environment with an IAM role or service account that has the following permissions:
  • kms:Encrypt
  • kms:Decrypt
  • kms:Sign
  • kms:Verify
  • kms:GetPublicKey
Deleting AWS KMS keys will make Hot Signer not operable. If that happens, you will need to reinitialize the hot signer with fresh Postgres instance and new AWS KMS keys.

Operational Management

Enabling Shard Access

After successful deployment, configure shard access through the Bron platform:
Only workspace owners can configure shard access permissions.
1

Access API Key Settings

In Workspace › API Keys, locate the API key used by your MPC Hot Signer instance.
2

Configure Device Access

Open the Devices with signing access menu for your API key.
3

Enable Signing Permissions

Select Enable Signing Access for your hot signer instance.
4

Assign Account Access

Choose which accounts the hot signer should have access to for transaction signing.

Monitoring and Maintenance

Prometheus metrics The hot signer includes built-in prometheus metrics on port 9091. Database Backups Implement regular PostgreSQL backups to prevent shard data loss. Consider:
  • Automated daily backups
  • Point-in-time recovery capabilities
  • Backup encryption and secure storage
  • Recovery testing procedures
Updates and Upgrades Monitor the bronlabs/mpc-server image for updates. Test new versions in staging environments before production deployment.

Production Considerations

Infrastructure Requirements

  • High Availability: Deploy multiple instances with load balancing
  • Network Security: Implement proper firewall rules and VPC configuration
  • Monitoring: Set up logging and alerting for the hot signer services
  • Secrets Management: Use secure secret management solutions for sensitive environment variables

Need Help?

If you encounter issues during deployment or operation, reach out to our support team with your configuration details and error logs.