Validator key isolation checklist
Scope: Ethereum proof-of-stake validators using sentry architecture (M4.1.3).
Packs: ehx-modules/nodeops/presets/sentry/ · Catalog: GET /api/v1/web3/validator-presets
Before mainnet
| # | Check | Pass criteria |
|---|---|---|
| 1 | Keys off sentry | Sentry nodes have no validator keystore, no slashing key material |
| 2 | Remote signer | Block production uses remote signer, Web3Signer, or HSM — not local file on validator pod |
| 3 | Network isolation | Validator pod accepts P2P/engine only from sentry labels (see validator-isolated-network-policy.snippet.yaml) |
| 4 | No public RPC | No 0.0.0.0 bind for HTTP/WebSocket on validator; admin APIs disabled |
| 5 | Sentry redundancy | ≥2 sentry nodes, anti-affinity across nodes/zones |
| 6 | Withdrawal credentials | Separate cold storage procedure; not co-located with hot sentry VMs |
| 7 | Monitoring | Head stall, missed attestations, and peer count alerts on validator + sentry separately |
Key material handling
- Generate keys in an offline ceremony; record withdrawal address out-of-band.
- Deploy only validator client + remote signer URI on validator core subnet.
- Rotate by provisioning new validator identity before decommissioning old keys — never copy keystores to sentry for debugging.
- Backup encrypted offline copies; test restore on staging only.
Related presets
| File | Purpose |
|---|---|
network-layout.snippet.yaml | Zone diagram (sentry public / validator private) |
sentry-node-deployment.snippet.yaml | Public-facing sentry Deployment |
sentry-network-policy.snippet.yaml | P2P ingress to sentry only |
validator-isolated-network-policy.snippet.yaml | Validator ↔ sentry/beacon only |
architecture-checklist.snippet.yaml | Machine-readable checklist for bundles |
Generate bundle: /chat?intent=web3_operations&message=validator sentry architecture for staging&send=1