Signatory Setup Guide
This guide covers setting up Signatory, a remote signing service for Tezos. Signatory separates key management from your baker, improving security by isolating private keys in a dedicated service.
What is Signatory?
Section titled “What is Signatory?”Signatory is a remote signer that enables bakers to keep their private keys separate from their baking infrastructure. Instead of storing keys directly in your baker’s configuration, the baker sends signing requests to Signatory over HTTP.
Benefits
Section titled “Benefits”- Security isolation: Keys never leave the signing service
- Hardware security module (HSM) support: YubiHSM integration for production deployments
- Cloud KMS support: AWS KMS, Azure Key Vault, Google Cloud KMS
- Flexible deployment: Run locally for development or remotely for production
- Multi-baker support: One Signatory instance can serve multiple bakers
When to Use Signatory
Section titled “When to Use Signatory”| Scenario | Recommended Approach |
|---|---|
| Testing/Development | File-based Signatory (as described in this guide) |
| Production | Hardware-backed Signatory (YubiHSM) or Cloud KMS See Signatory documentation for setup |
Prerequisites
Section titled “Prerequisites”- Running Tezos node: See Setting Up a Node
- Signatory binary: Install via octez-manager (see below) or download manually
- Baker keys: Generated or imported Tezos keys
Quick Start: File-Based Signatory
Section titled “Quick Start: File-Based Signatory”The simplest setup uses file-based key storage. This is suitable for development and testing, but not recommended for production as keys are stored unencrypted on disk.
Installation via TUI
Section titled “Installation via TUI”- Launch
octez-manager - Select [ Install new instance ] → Signatory
- Configure:
- Instance name: e.g.,
dev-signer - Backend:
file - Keys directory: Default or custom path
- Authorized keys: Your baker’s public key hash(es)
- Address:
127.0.0.1:6732(default)
- Instance name: e.g.,
Installation via CLI
Section titled “Installation via CLI”octez-manager install-signatory \ --instance dev-signer \ --backend file \ --authorized-keys tz1abc123... \ --signatory-version latestThis creates a systemd service signatory@dev-signer that starts automatically.
Adding Keys to Signatory
Section titled “Adding Keys to Signatory”After installation, you need to import your baker keys into Signatory. The keys directory location depends on your setup:
User mode (default):
KEY_DIR=~/.local/share/octez/signatory/dev-signer/keysSystem mode (when running as root/sudo):
KEY_DIR=/var/lib/octez/signatory/dev-signer/keysOption 1: Copy Existing Keys
Section titled “Option 1: Copy Existing Keys”If you already have keys in octez-client:
# Find your key files (look for .sk files)ls ~/.tezos-client/
# Copy the secret key file to Signatory's keys directorycp ~/.tezos-client/secret_keys $KEY_DIR/
# Ensure proper permissionschmod 600 $KEY_DIR/secret_keysOption 2: Generate New Keys in Signatory
Section titled “Option 2: Generate New Keys in Signatory”# Create keys directory if it doesn't existmkdir -p $KEY_DIR
# Use octez-client to generate and save to Signatory's directoryoctez-client -d $KEY_DIR gen keys my-bakerOption 3: Import Key from Secret Key
Section titled “Option 3: Import Key from Secret Key”octez-client -d $KEY_DIR import secret key my-baker unencrypted:edsk...Next Steps
Section titled “Next Steps”- Set up a baker with Signatory: See Baker Setup Guide
- CLI reference: Detailed command documentation in CLI Reference
- Official Signatory docs: https://signatory.io/docs/
- Signatory GitHub: https://github.com/ecadlabs/signatory
External Resources
Section titled “External Resources”- Signatory Documentation - Official Signatory documentation (includes HSM and cloud KMS setup)
- Signatory GitHub - Source code and releases
- Octez Remote Signer Docs - Tezos documentation on remote signers
Last updated: February 2026