Signchain Docs

Home>Get Started>Vault Setup

Vault Setup

Setting up your Signchain Vault is the first step toward secure, scalable blockchain management within your infrastructure. This guide walks you through configuring both the Signchain Hosted Vault and the Self-hosted Vault options, highlighting critical setup requirements and security best practices.

Why Set Up a Vault?

The Signchain Vault provides a private environment for handling blockchain transactions, ensuring that your private keys never leave your secure infrastructure. Depending on your needs, you can choose between a hosted setup managed by Signchain or a self-hosted setup that gives you full control over your security protocols.

1. Choose Between Hosted and Self-hosted Vaults

  • Hosted Vault: Ideal for users who prefer a managed solution with minimal setup and responsibility. Signchain manages the infrastructure, security, and updates.
  • Self-hosted Vault: Recommended for users who require full control over their security, as it allows you to run the vault in your environment.

Select the option that best suits your security and operational requirements.

2. Self-hosted Vault Setup

For users opting for the self-hosted option, follow the steps below to configure the vault in your infrastructure.

Step 2.1: Prerequisites

  • Docker: Ensure Docker is installed. Docker Installation Guide
  • Access to Signchain Dashboard: Retrieve your Vault ID and Vault Key from the Signchain Dashboard.
  • Network Requirements: Open ports for communication, particularly if using Signchain’s API Gateway.

Step 2.2: Docker Setup

The self-hosted vault is provided as a Docker container, available on GitHub Container Registry.

docker pull ghcr.io/grexie/signchain-vault:latest

Start the container with the necessary environment variables:

docker run -d \
           -p 80:80 \
           -e PORT=80 \
           -e VAULT_INSECURE_HTTP=true \
           -e VAULT_KEY="vault-key-...,vault-key-..." \
           -e VAULT_AUTH_SECRET_KEY="<your-secret-key>" \
           -e VAULT_STORAGE_BACKEND=mongo \
           -e VAULT_MONGO_URL="mongodb://localhost:27017/signchain-vault" \
           ghcr.io/grexie/signchain-vault:latest

Essential Environment Variables

  • PORT: By default we run the vault on port 443, select port 80 for development purposes.
  • VAULT_INSECURE_HTTP: Set to true to disable automatic TLS self-signed certificate generation and serving over HTTPS.
  • VAULT_KEY: Configure with your vault keys from the Signchain Dashboard.
  • VAULT_AUTH_SECRET_KEY: A secret key known only to you, used to sign requests and prevent unauthorized access.
  • VAULT_STORAGE_BACKEND: Presently we just support MongoDB, but we're working on more including DynamoDB and Redis.
  • VAULT_MONGO_URL: MongoDB connection string for storing vault data (ensure MongoDB is running and accessible).

Step 2.3: Integration with Proxy (Optional)

If using a proxy like Traefik for SSL or load balancing, configure it to route requests securely to your vault instance. For more details, see our Integration with Traefik Guide.

3. Hosted Vault Setup

Using Signchain’s Hosted Vault is straightforward. Configure the hosted vault in your account settings on the dashboard:

  1. Login to the Signchain Dashboard.
  2. Select Hosted Vault: Under “Vaults,” select the Signchain Hosted Vault.
  3. Copy Vault ID: Note down this and create an API Key in the sidebar on the left. These credentials are important, as they’ll be required to authenticate your API calls.

4. Environment Configuration (Self-hosted Vault)

Additional configuration settings are available to enhance security:

  • PORT: Use for setting a custom port (default: 80).
  • VAULT_INSECURE_HTTP: Set to true if using an SSL front end like Traefik.
  • Secure Storage: Store sensitive variables in a secure .env file or environment manager.

For details on all available environment variables, check the Environment Variables Guide.

5. Testing Your Vault Setup

Once your vault is running, test connectivity with a basic API request:

List Wallets

curl -X GET https://signchain.net/api/v1/vaults/<vault-id>/status \
     -H "Authorization: Bearer <your-api-key>"

A successful response confirms that your vault is correctly set up and reachable.

6. Best Practices for Self-hosted Vault Security

  • Use Strong Secrets: Generate a robust VAULT_AUTH_SECRET_KEY for securing communication between your vault and backend.
  • Limit Access: Only allow necessary IP addresses access to your vault and avoid exposing non-HTTPS endpoints to the public internet.
  • Regular Updates: Pull the latest version of the Signchain Vault Docker container regularly to receive security patches and new features.

By setting up your Signchain Vault correctly, you’re establishing a secure and scalable foundation for handling blockchain transactions privately within your infrastructure. For more details on integrating the vault with Signchain’s API, visit the API Reference.