> ## Documentation Index
> Fetch the complete documentation index at: https://developer.bron.org/llms.txt
> Use this file to discover all available pages before exploring further.

# MPC Hot Signer

> Automated transaction signing with enterprise-grade security

The MPC Hot Signer is a containerized solution that enables automated transaction signing in your infrastructure. Built as an alternative to the Bron desktop application, it provides enterprise-grade security with flexible deployment options.

<Warning>
  The MPC Hot Signer is currently in **beta**. Features and configurations may change in future releases. Monitor updates closely to ensure continued operation of your shards.
</Warning>

## Prerequisites

Before deploying the MPC Hot Signer, ensure you have:

1. **API Key Setup**: Create dedicated API keys following the [API Key creation guide](/api-reference/create-api-key)
   * Role: **MPC Hot Signer**
2. **PostgreSQL Database**: A running PostgreSQL instance for shard storage
3. **Container Runtime**: Docker or Kubernetes environment

<Note>
  All shard secret material are stored encrypted in the database, but metadata like public keys and account IDs rely on PostgreSQL's authentication mechanisms.
</Note>

## Quick Start

<Steps>
  <Step title="Prepare Your Environment">
    Create the necessary API keys for your MPC Hot Signer instance.
  </Step>

  <Step title="Deploy with Docker Compose">
    Use this Docker Compose configuration as a starting point for testing environments:

    ```yaml theme={"system"}
    services:
      hot-signer:
        image: bronlabs/mpc-server:latest
        depends_on:
          postgres:
            condition: service_healthy
        environment:
          # Instance identification that will appear in the Bron platform
          NAME: "HotSigner-01"

          PROMETHEUS_PORT: 9091

          # Bron API credentials
          API_KEY_ID: "your-api-key-id"
          API_KEY: "your-api-key-secret"

          # Database configuration
          POSTGRES_HOST: "postgres"
          POSTGRES_PORT: 5432
          POSTGRES_USER: "hot_signer"
          POSTGRES_PASSWORD: "secure-password-here"
          POSTGRES_DBNAME: "hot_signer"

          # Shard encryption options (check security configurations below)
          MASTER_PASSWORD: "YourSecureMasterPassword"
        restart: always
        healthcheck:
          test: ["CMD", "nc", "-z", "-v", "127.0.0.1", "9091"]
          interval: 30s
          timeout: 10s
          retries: 10
          start_period: 10s

      postgres:
        image: postgres:17.5
        environment:
          POSTGRES_USER: "hot_signer"
          POSTGRES_PASSWORD: "secure-password-here"
          POSTGRES_DB: "hot_signer"
        restart: always
        volumes:
          - ./postgresql-data:/var/lib/postgresql/data
        healthcheck:
          interval: 10s
          retries: 300
          test: pg_isready -U hot_signer -d hot_signer
          timeout: 3s
    ```

    <Warning>
      This example is for testing purposes only. Production deployments should use external PostgreSQL instances and enterprise-grade encryption options.
    </Warning>
  </Step>

  <Step title="Start the Services">
    ```bash theme={"system"}
    docker-compose up -d
    ```

    The hot signer will automatically register with the Bron platform once successfully deployed.
  </Step>
</Steps>

## Security Configuration

The MPC Hot Signer supports four encryption methods for protecting shard materials. Choose the option that best fits your security requirements:

<Warning>
  **Important Security Notes:**

  * Encryption configuration cannot be changed after initialization without data loss
  * Each API key requires a separate database and encryption setup
  * Cloud KMS key deletion will permanently disable shard access
</Warning>

<Tabs>
  <Tab title="AWS KMS">
    **Amazon Key Management Service**

    ```yaml theme={"system"}
    environment:
      KMS_ENCRYPTION_KEY_ID: "arn:aws:kms:eu-west-1:000000000000:key/mrk-c6157253996d5a424c3a3c4a5b7b18ee"
      KMS_SIGNING_KEY_ID: "arn:aws:kms:eu-west-1:000000000000:key/mrk-9d4d9cffc2e4acaf1b38b6e595b07415"
      AWS_REGION: "eu-west-1"
      AWS_API_KEY: "AKIAIOSFODNN7EXAMPLE" # optional - not recommended
      AWS_API_SECRET: "JalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" # optional - not recommended
      AWS_API_SESSION: "AQoDYXdzEEQaD//////////wEaDD///////wBhAP//////////wA=" # optional - not recommended
    ```

    **Setup Instructions:**

    * [Creating AWS KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)

    **Required AWS Resources:**

    * RSA\_4096 asymmetric encryption key
    * P256 asymmetric signing key

    <Note>
      It's recommended to create Multi-Region keys to allow replicate keys across regions.
    </Note>

    **Authentication (Recommended):**
    Instead of using credential environment variables, configure your container environment with an IAM role or service account that has the following permissions:

    * `kms:Encrypt`
    * `kms:Decrypt`
    * `kms:Sign`
    * `kms:Verify`
    * `kms:GetPublicKey`

    <Warning>
      Deleting AWS KMS keys will make Hot Signer not operable. If that happens, you will need to reinitialize the hot signer with fresh Postgres instance and new AWS KMS keys.
    </Warning>
  </Tab>

  <Tab title="Google Cloud KMS">
    **Google Cloud Key Management**

    ```yaml theme={"system"}
    environment:
      GCP_ENCRYPTION_KEY_ID: "projects/my-project/locations/global/keyRings/hot-signer/cryptoKeys/encryption-key/cryptoKeyVersions/1"
      GCP_SIGNING_KEY_ID: "projects/my-project/locations/global/keyRings/hot-signer/cryptoKeys/signing-key/cryptoKeyVersions/1"
      GCP_CREDENTIALS_JSON: '{"type": "service_account", "project_id": "my-project", ...}' # optional - not recommended
    ```

    **Setup Instructions:**

    * [Creating Google Cloud KMS Keys](https://cloud.google.com/kms/docs/create-key)

    **Required GCP Resources:**

    * RSA\_4096 asymmetric encryption key
    * EC\_P256 asymmetric signing key

    <Note>
      It's recommended to create Key ring in Global region. Also created keys must have HSM Protection level
    </Note>

    **Authentication (Recommended):**
    Instead of using credential environment variables, configure your container environment with a service account that has the following permissions:

    * `roles/cloudkms.publicKeyViewer (Cloud KMS CryptoKey Public Key Viewer)`
    * `roles/cloudkms.signer (Cloud KMS CryptoKey Signer)`
    * `roles/cloudkms.cryptoKeyDecrypter (Cloud KMS CryptoKey Decrypter)`

    <Warning>
      Deleting Google Cloud KMS keys will make Hot Signer not operable. If that happens, you will need to reinitialize the hot signer with fresh Postgres instance and new Google Cloud KMS keys.
    </Warning>
  </Tab>

  <Tab title="Azure Key Vault">
    **Microsoft Azure Key Vault**

    ```yaml theme={"system"}
    environment:
      AZURE_VAULT_URL: "https://my-vault.vault.azure.net/"
      AZURE_ENCRYPTION_KEY_ID: "encryption-key"
      AZURE_SIGNING_KEY_ID: "signing-key"
      AZURE_TENANT_ID: "00000000-0000-0000-0000-000000000000" # optional - not recommended
      AZURE_CLIENT_ID: "11111111-1111-1111-1111-111111111111" # optional - not recommended
      AZURE_CLIENT_SECRET: "Ta11A~7R.D85.xmKfkgPT3cauFJbCVLATve2kUwP" # optional - not recommended
    ```

    **Setup Instructions:**

    * [Creating Azure Key Vault Keys](https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal)

    **Required Azure Resources:**

    * RSA\_4096 asymmetric encryption key (HSM-backed required)
    * EC\_P256 asymmetric signing key (HSM-backed required)

    <Note>
      Azure Key Vault keys must be HSM-backed (key types RSA-HSM and EC-HSM).
    </Note>

    **Authentication (Recommended):**
    Instead of using credential environment variables, configure your container environment with a managed identity or service principal that has the following Key Vault permissions:

    * `Key Vault Reader`
    * `Key Vault Crypto User`

    <Warning>
      Deleting Azure Key Vault keys will make Hot Signer not operable. If that happens, you will need to reinitialize the hot signer with fresh Postgres instance and new Azure Key Vault keys.
    </Warning>
  </Tab>

  <Tab title="Soft HSM">
    **Master Password Encryption**

    Generates encryption keys locally from a master password. Security depends entirely on the strength and protection of your master password.

    ```yaml theme={"system"}
    environment:
      MASTER_PASSWORD: "YourSecureMasterPassword"
    ```

    <Warning>
      Less secure than cloud-based HSM solutions (AWS KMS, GCP Cloud HSM, Azure Key Vault). Use at your own risk in production environments.
    </Warning>
  </Tab>
</Tabs>

## Operational Management

### Enabling Shard Access

After successful deployment, configure shard access through the Bron platform:

<Note>
  Only workspace owners can configure shard access permissions.
</Note>

<Steps>
  <Step title="Access API Key Settings">
    In **Workspace › API Keys**, locate the API key used by your MPC Hot Signer instance.
  </Step>

  <Step title="Configure Device Access">
    Open the **Devices with signing access** menu for your API key.
  </Step>

  <Step title="Enable Signing Permissions">
    Select **Enable Signing Access** for your hot signer instance.
  </Step>

  <Step title="Assign Account Access">
    Choose which accounts the hot signer should have access to for transaction signing.
  </Step>
</Steps>

### Monitoring and Maintenance

**Prometheus metrics**
The hot signer includes built-in prometheus metrics on port 9091.

**Database Backups**
Implement regular PostgreSQL backups to prevent shard data loss. Consider:

* Automated daily backups
* Point-in-time recovery capabilities
* Backup encryption and secure storage
* Recovery testing procedures

**Updates and Upgrades**
Monitor the `bronlabs/mpc-server` image for updates. Test new versions in staging environments before production deployment.

## Production Considerations

### Infrastructure Requirements

* **High Availability**: Deploy multiple instances with load balancing
* **Network Security**: Implement proper firewall rules and VPC configuration
* **Monitoring**: Set up logging and alerting for the hot signer services
* **Secrets Management**: Use secure secret management solutions for sensitive environment variables

<Card title="Need Help?">
  If you encounter issues during deployment or operation, reach out to our support team with your configuration details and error logs.
</Card>
