stacks-network · BowTiedDevOps · Dec 10, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
@@ -106,7 +106,8 @@
   * [Best practices for running a Signer](guides-and-tutorials/running-a-signer/best-practices-to-run-a-signer.md)
   * [OpSec Best Practices](guides-and-tutorials/running-a-signer/opsec-best-practices.md)
 * [sBTC](guides-and-tutorials/sbtc/README.md)
-  * [How to Run a sBTC Signer](guides-and-tutorials/sbtc/how-to-run-sbtc-signer.md)
+  * [How to Run an sBTC Signer](guides-and-tutorials/sbtc/how-to-run-sbtc-signer.md)
+  * [Best practices for running an sBTC Signer](guides-and-tutorials/sbtc/best-practices-for-running-an-sbtc-signer.md)
 * [Stack STX](guides-and-tutorials/stack-stx/README.md)
   * [Solo Stack](guides-and-tutorials/stack-stx/stacking-flow.md)
   * [Operate a Pool](guides-and-tutorials/stack-stx/operate-a-pool.md)

@@ -1,3 +1,7 @@
-The guides in this section provide step-by-step instructions for interacting with sBTC, including operating as a signer and (coming soon) developer guides on how to interact with sBTC as an application developer.
+The guides in this section provide step-by-step instructions for interacting
+with sBTC, including operating as a signer and (coming soon) developer guides on
+how to interact with sBTC as an application developer.
 
-Note that in order to run a sBTC signer you must be one of the [approved signers](https://github.com/stacks-network/sbtc/discussions/624) described in [SIP-028](https://github.com/andrerserrano/sips/blob/main/sips/sip-028/sip-028-sbtc_peg.md).
+Note that in order to run a sBTC signer you must be one of the [approved
+signers](https://github.com/stacks-network/sbtc/discussions/624) described in
+[SIP-028](https://github.com/andrerserrano/sips/blob/main/sips/sip-028/sip-028-sbtc_peg.md).
@@ -0,0 +1,61 @@
+# Best practices for running a sBTC signer
+
+The following best practices suggest how to create a resilient setup for running
+your sBTC Signer.
+
+## Protect your private key
+
+- Prevent unauthorised access to the sBTC Signer private key.
+
+### Backup signer keys in cold-storage
+
+- Keep an offline, secure backup of your sBTC Signer private key (e.g., hardware
+  security modules or encrypted storage devices).
+
+## Backup your Postgres DB
+
+- Periodically backup the sBTC Signer Postgresql DB.
+
+## Firewall
+
+- Allow connections to your signer `listen_on` address (used for P2P
+  communication).
+- Optionally, allow traffic to the P2P ports of your Stacks and Bitcoin node.
+- Deny traffic to any other port and service, unless required, e.g. for SSH.
+
+### Monitor and observer your sBTC Signer
+
+{% hint style="info" %}
+This section is in progress as the core developers improve the sBTC Signer
+observability.
+{% endhint %}
+
+- Retain at least 1 day of logs for both the sBTC Signer, the Stacks node, and the
+  Bitcoin node.
+
+### Downstream components
+
+- Run a *dedicated* Bitcoin node and Stacks node for your sBTC Signer.
+    - Ensure the nodes are provisioned with the minimum hardware requirements
+      described [here][0].
+    - Nodes should be *exclusively dedicated* to serve the Signer. Avoid
+      re-using them to serve other clients as that may negatively affect
+      performance (no *mock-signing*, no *Stacks API nodes*).
+
+### Redundancy in operations
+
+- Ensure that multiple, trusted users can manage and maintain your sBTC Signer instance.
+- Where feasible, users should span different timezones.
+
+### Monitor new software releases
+
+- Stay up-to-date with new releases, patches, and security advisories (e.g.,
+  GitHub, mailing lists, Discord).
+- Apply updates as quickly as possible, especially those addressing a security
+  vulnerability.
+
+## References
+
+[0]: https://docs.stacks.co/guides-and-tutorials/running-a-signer#minimum-system-requirements
+
+- [Best practices to run a Stacks Signer](../running-a-signer/best-practices-to-run-a-signer.md).