Russignol

Secure Tezos Hardware Signer

Turn your Raspberry Pi Zero 2 into a dedicated, physically separate signing device.

Get Started
Russignol Device - Raspberry Pi Zero 2 with E-Paper Hat

Features

Secure Storage

Private keys are encrypted and stored securely on the device with PIN protection.

Fast BLS Signatures

Optimized for performance: the Pi Zero 2 generates BLS signatures in under 5ms, ready for future Tezos protocols.

E-Paper Touch Display

Intuitive touch controls for PIN entry. View signing activity at a glance.

Automated Setup

The companion CLI utility makes configuring your baker host effortless and verifiable.

Why Russignol?

  • Physical Separation: Private keys never leave the device. Critical actions like key generation and PIN setup are performed exclusively via the touchscreen and cannot be triggered by the host. The host is restricted to requesting signatures for authorized operations.
  • Extensive Security Hardening: A purpose-built, hardened Linux distribution with a minimal attack surface. Security is enforced by a barebone kernel that disables module loading and all unused drivers (including standard video output and radios for Bluetooth and Wi-Fi), and by completely disabling user account logins.
  • Rust-Native Security: Rust implementation guarantees memory safety for the application logic. Utilizes the audited and formally verified blst library for BLS operations.
  • High Performance: Consistently signs blocks in under 5ms — significantly faster than comparable alternatives.
  • Minimal Footprint: 11MB compressed image — drastically smaller than standard OS images — greatly reducing the attack surface.
  • Predictable Latency: The absence of a garbage collector minimizes latency spikes during signing operations.
  • Rapid Startup: Achieves a fast boot time, reaching the PIN screen in just 5 seconds.
  • Optimized Storage: Fast F2FS filesystem to reduce SD card wear and ensure fast performance.

Get Started

1. RPi Setup

1

Download Image

Download the Raspberry Pi image (Latest Release).

curl -L -O https://russignol.com/downloads/russignol-pi-zero.img.xz
2

Flash the Image

Flash the downloaded image to a microSD card.

⚠️ CRITICAL: Replace /dev/sdX with your actual SD card device (e.g., /dev/sdb). Writing to the wrong device will erase all data on that drive. 
xz -dc russignol-pi-zero.img.xz | sudo dd of=/dev/sdX bs=4M conv=fsync
3

Connect & Initialize

Insert the SD card into your Pi Zero 2 and connect it to your baker host via the USB data port. On the device, create your PIN and generate the consensus and companion keys.

2. Baker Setup

1

Download Host Utility

Download the setup utility for your host architecture.

AMD64

curl -L -o russignol https://russignol.com/downloads/russignol-amd64 && chmod +x russignol

AArch64

curl -L -o russignol https://russignol.com/downloads/russignol-aarch64 && chmod +x russignol
2

Run Setup

Run the utility and follow the prompts to configure networking and import keys.

./russignol setup