🎉 We are deprecating the Optimism SDK and migrating all tutorials to use viem/op-stack. Read more →
Builders
Chain operators
Chain management
Key management

Managing your keys

This guide informs chain operators on important key management considerations. There are certain privileged roles that need careful consideration. The privileged roles are categorized as hot wallets or cold wallets.

Hot wallets

The addresses for the Batcher and the Proposer need to have their private keys online somewhere for a component of the system to work. If these addresses are compromised, the system can be exploited.

It is up to the chain operator to make the decision on how they want to manage these keys. One suggestion is to use a Hardware Security Module (HSM) to provide a safer environment for key management. Cloud providers oftentimes provide Key Management Systems (KMS) that can work with your developer operations configurations. This can be used in conjunction with the eth_signTransaction RPC method.

You can take a look at the signer client source code (opens in a new tab) if you're interested in whats happening under the hood.

Cold wallets

The addresses for the cold wallets cannot be used without human intervention. These can be set up as multisig contracts, so they can be controlled by groups of community members and avoid a single point of failure. The signers behind a multisig should probably also use a hardware wallet.

Refer to the privileged roles documentation for more information about these different addresses and their security concerns.

Key managementBest practices