Skip to main content

Use Web3Signer with USB Armory Mk II

Web3Signer can sign payloads using private keys stored in a USB Armory Mk II device. Users must install the Interlock application on the device to enable communication with Web3Signer.

Web3Signer supports using the device as a secure key storage only.


Store private key files in USB Armory

Perform the following steps to use USB Armory to store signing keys:

  1. Connect to the Interlock web-based file manager on the device. The default URL is
  2. In the device, create a file for each private key using any naming format, and add the private key unencrypted to the file contents. The 0x prefix is optional.
  3. Configure a signing key configuration file for each signing key that Web3Signer requires access to.

The USB Armory Mk II device only allows one connection at a time. Ensure you log out of the web-based file manager before using the device with Web3Signer.

Use the INTERLOCK_CLIENT_TIMEOUT_MS environment variable to override the Interlock timeout from Web3Signer. The default is 5000 ms.

Known server file

The Interlock application by default uses a self-signed certificate. Web3Signer automatically creates a known server file to trust the Interlock certificate on first connection to the Interlock application, and uses the file on subsequent connections.


Web3Signer attempts to create the file using the knownServersFile key in the key configuration file. Ensure the file location is writable by the Web3Signer process.

Alternatively you can manually create the file and add the certificate details in the format <host>:<port> <sha265_signature_of_interlock_certificate> DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50