🛠️
Stacks Documentation
  • Start Here
  • 🧠Concepts
    • Stacks 101
      • What Is Stacks?
      • Bitcoin Connection
      • Proof of Transfer
      • Stacks Among Other Layers
      • Financial Incentive and Security Budget
    • Network Fundamentals
      • Network Basics
      • Mainnet and Testnets
      • Accounts
      • Authentication
      • Bitcoin Name System
      • SIPs
      • Technical Specifications
    • Block Production
      • Mining
      • Signing
      • Bitcoin Finality
      • Bitcoin Reorgs
      • Stacking
    • Transactions
      • How Transactions Work
      • Post Conditions
    • Clarity
      • Overview
      • Decidability
    • sBTC
      • Core Features
      • sBTC Operations
        • Deposit
        • Withdrawal
        • Deposit vs Withdrawal Times
      • Emily API
      • Peg Wallet UTXO
      • Clarity Contracts
        • sBTC Registry
        • sBTC Token
        • sBTC Deposit
        • sBTC Withdrawal
      • Auxiliary Features
        • Transaction Fee Sponsorship
        • Signer Wallet Rotation
      • Walkthroughs
        • Signer Process Walkthrough
        • sBTC Transaction Walkthrough
      • sBTC FAQ
    • Gaia
      • Configuration
      • Deploy Gaia Hub
      • Amazon EC2
      • Linux
      • Mac OS
  • 🛠️Guides & Tutorials
    • Developer Quickstart
    • Clarity Crash Course
    • Build a Borrowing & Lending Protocol
    • Bitcoin Integration
      • Sending Bitcoin with Leather Wallet
      • Verifying a Bitcoin Transaction
      • Parsing a Bitcoin Transaction
    • Create Tokens
      • Creating a NFT
      • Creating a Fungible Token
    • Build a Frontend
      • Post Conditions with Stacks.js
      • Authentication with Stacks.js
      • Sending Transactions with Stacks.js
    • Run a Node
      • Run a Node with Docker
      • Run a Node with Digital Ocean
      • Run a Node with a Hosted Provider
      • Run a Node with Quicknode
      • Run a Bitcoin Node
      • Run a Pruned Bitcoin Node
    • Run a Miner
      • Miner Prerequisites
      • Miner Costs and Fees
      • Mine Testnet Stacks Tokens
      • Mine Mainnet Stacks Tokens
      • Verify Miner
    • Run a Signer
      • Signer Quickstart
      • How to Read Signer Logs
      • How to Monitor a Signer
      • Best practices for running a Signer
      • OpSec Best Practices
    • sBTC
      • How to Run an sBTC Signer
      • Best practices for running an sBTC Signer
      • How to Use the sBTC Bridge
      • Earn sBTC Rewards
    • Stack STX
      • Solo Stack
      • Operate a Pool
      • Stack with a Pool
      • Increase Stacked Position
      • Stop Stacking
    • Community Tutorials
  • 📚Reference
    • API
    • Clarity Types
    • Clarity Functions
    • Clarity Keywords
    • Stacks Node Configuration
    • Signer Configuration
    • Stacks Tooling
  • 🏗️Example Contracts
    • Audited Starter Contracts
    • Stacking
    • BNS
    • Multi Send
  • 🧡Press & Top Links
    • 🔶2024
      • 🔸January 2024
      • 🔸February 2024
      • 🔸March 2024
      • 🔸April 2024
      • 🔸May 2024
      • 🔸June 2024
      • 🔸July 2024
      • 🔸August 2024
      • 🔸September 2024
      • 🔸October 2024
      • 🔸November 2024
      • 🔸December 2024
    • 🔶2025
      • 🔸January 2025
      • 🔸February 2025
  • 🧡Bitcoin Theses and Reports
    • 🟠Bitcoin Theses
    • 📙Bitcoin Reports
  • Contribute
Powered by GitBook
On this page
  • Protect your private key and have a cold-storage backup
  • Backup your sBTC Signer PostgreSQL DB
  • Verifying integrity of PostgreSQL DB backups
  • Setup proper access control
  • Maintain a strict firewall configuration
  • Maintain a robust secrets management program
  • Monitor and observe your sBTC Signer
  • Provision dedicated downstream components
  • Monitor new software releases
  • Ensure redundancy in operations
  • References

Was this helpful?

  1. Guides & Tutorials
  2. sBTC

Best practices for running an sBTC Signer

The following best practices suggest how to create a resilient setup for running your sBTC Signer.

Protect your private key and have a cold-storage backup

  • Prevent unauthorised access to the sBTC Signer private key.

  • Keep an offline, secure backup of your sBTC Signer private key (e.g., hardware security modules or encrypted storage devices).

Backup your sBTC Signer PostgreSQL DB

  • Perform daily backups of the sBTC Signer PostgreSQL DB.

  • Periodically verify the integrity of backups, as instructed below.

Verifying integrity of PostgreSQL DB backups

To verify the integrity of a backup, first import it into a fresh PostgreSQL instance (the database is enough, no need to spin up a Stacks / Bitcoin node or the sBTC signer).

Then, perform the following query:

signer=> SELECT aggregate_key FROM sbtc_signer.dkg_shares WHERE
dkg_shares_status = 'verified' ORDER BY created_at DESC;

It will return results as follows (your mileage might vary depending on the history of your sBTC signer, the following is provided for illustration purposes only):


                            aggregate_key
----------------------------------------------------------------------
 \x03d8c4344861fc7590fd812c24884a3bfd9374d8ba865a787ff53c9060020aa967
 \x03f898f8a6ddb86dd4608dd168355ec6135fe2839222240c01942e8e7e50dd4c89
(2 rows)

Now, ensure that the most recent aggregate_key (the first one) corresponds to the one returned by a read-only call to the SM3VDXK3WZZSA84XXFKAFAF15NNZX32CTSG82JFQ4/sbtc-registry/get-current-aggregate-pubkey smart contract method:

curl -s 'https://api.hiro.so/v2/contracts/call-read/SM3VDXK3WZZSA84XXFKAFAF15NNZX32CTSG82JFQ4/sbtc-registry/get-current-aggregate-pubkey' \
           -H 'content-type: application/json' --data-raw '{"sender":"SM3VDXK3WZZSA84XXFKAFAF15NNZX32CTSG82JFQ4","arguments":[]}' | jq .result

"0x020000002103d8c4344861fc7590fd812c24884a3bfd9374d8ba865a787ff53c9060020aa967"⏎

You can discard the prefix 0x02000000210 (which is how Clarity encodes values). The suffix 3d8c4344861fc7590fd812c24884a3bfd9374d8ba865a787ff53c9060020aa967 matches the first row of the PostgreSQL query above (excluding \x0 which indicates hex encoding).

Setup proper access control

  • Require hardware 2FA keys for access control (e.g., by using Yubikey) to connect through SSH, to authenticate to AWS, and for every other relevant action.

  • Follow the principle of least privilege: if you don’t need access, you don’t get access; if you get access, it expires after the action is taken.

  • Optional, but strongly recommended: Implement a "4-eyes" process (require that any activity by an individual must be controlled - reviewed, double checked - by a second individual) to access critical resources (e.g., deploy a new version of the sBTC signer).

Maintain a strict firewall configuration

  • Allow connections to your sBTC signer listen_on address (used for P2P communication).

  • Do not expose any non-essential service to the internet: use a DEFAULT DENY policy with explicit ALLOWs for necessary network traffic (such as sBTC signer p2p and SSH).

Maintain a robust secrets management program

  • Ensure all relevant secrets are safely managed and rotated (where possible), e.g. if someone leaves the team.

Monitor and observe your sBTC Signer

  • Retain at least 90 days of logs for both the sBTC Signer, the Stacks node, and the Bitcoin node.

  • The sBTC signer can optionally expose Prometheus metrics (see prometheus_exporter_endpoint configuration option).

    • You can use them to monitor its health (this guide shows how to configure Alloy to collect metrics on Grafana cloud).

Provision dedicated downstream components

  • Run a dedicated Bitcoin node and Stacks node for your sBTC Signer.

    • Ensure the nodes are provisioned with the minimum hardware requirements described here.

    • Nodes should be exclusively dedicated to serve the sBTC Signer. Avoid re-using them to serve other clients as that may negatively affect performance (no mock-signing, no Stacks API nodes).

Monitor new software releases

  • Stay up-to-date with new releases, patches, and security advisories for all used operating systems, software and packages:

    • https://www.cve.org/ is a great resource for popular software packages.

    • Subscribe to receive security notifications from your vendors.

    • Join relevant messaging channels as applicable (i.e. on Discord, Slack, etc.).

  • Exercise vulnerability management for all packages.

  • Apply updates as quickly as possible, especially those addressing a security vulnerability.

  • Use inventory and patch management software, if available.

Ensure redundancy in operations

  • Ensure that multiple, trusted system administrators can manage and maintain your sBTC Signer instance.

  • Where feasible, system administrators should span different time zones.

  • Document your operations procedures and ensure that relevant personnel have access to them.

References

  • Best practices to run a Stacks Signer.

PreviousHow to Run an sBTC SignerNextHow to Use the sBTC Bridge

Last updated 16 days ago

Was this helpful?

🛠️