Validators: overview

Why operators run this

The marketplace lets you sell the SWQoS connection capacity that your stake earns, without exposing the Ed25519 identity key. The key is provisioned into a Nitro Enclave under a PCR-bound KMS policy. The marketplace API only issues short-lived ES256 JWTs that authorise individual signing requests. You retain on-chain identity, voting, and consensus participation. Only the QUIC handshake signing is delegated.

What you need before installing

• A recent EC2 instance type that supports Nitro Enclaves (c6i.xlarge or higher).
• AWS credentials with permission to create KMS keys and enclave attachments (the validator-cli will check these on first run).
• terraform 1.6+ on $PATH.
• Your validator identity keypair file (loaded once into KMS, never read again from disk by the marketplace process).

What gets deployed

The Terraform module in the sibling repo's deploy/ provisions:

• The EC2 host running the host-proxy (gRPC over TLS, vsock client).
• The Nitro Enclave EIF (signer service over vsock).
• A KMS key with a PCR-bound policy gating decryption to the enclave's measured boot state.
• IAM roles, security groups, and CloudWatch log groups.

The cost ballpark, billed to your AWS account, is printed by validator-cli install --dry-run before anything is created.