State Backend
The state backend is Containment Chamber’s bookkeeping store. It is separate from validator key storage and anti-slashing storage, even when all three use DynamoDB.
Most operators do not need this page during normal setup. It is useful when debugging initialization, unseal, auth propagation, or multi-replica behavior.
What It Stores
Section titled “What It Stores”| Data | Why it exists |
|---|---|
| Master-key metadata | KMS-wrapped Shamir shares and integrity data used during unseal |
| Operator quorum config | Operator names, threshold, and rotation staging |
| Operator credentials | Encrypted per-operator shares for passphrase or YubiKey unseal |
| Auth policies and tokens | Runtime access-control data |
| TEE auto-unseal blob | Nitro Enclave auto-unseal state |
It does not store validator private keys. Those live in the configured key source. It does not store slashing-protection records. Those live in the anti-slashing backend.
When It Is Required
Section titled “When It Is Required”The state backend is required for the DynamoDB key source because the master key has to be reconstructed across restarts. Filesystem-only deployments do not need it.
signer_state: backend: dynamodb table: containment-state refresh_interval_seconds: 1 unseal_timeout_minutes: 30Use a distinct DynamoDB table for signer state. Do not reuse the validator-key table or the anti-slashing table.
Runtime Behavior
Section titled “Runtime Behavior”Every replica polls the state backend on signer_state.refresh_interval_seconds. That polling lets a fresh process observe:
- An initialization completed by another replica.
- KMS or TEE auto-unseal state.
- Auth policy and token changes.
- Quorum rotation progress.
Set the refresh interval low enough for operational changes to propagate at an acceptable speed. Avoid setting it to 0 in production unless you intentionally want to disable cross-replica refresh behavior.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Check |
|---|---|
| Signer starts as uninitialized unexpectedly | The signer may be pointed at the wrong state table. |
| Auth edits do not propagate | Check refresh_interval_seconds and DynamoDB read permissions. |
| Unseal never reaches threshold | Confirm every operator credential row exists and belongs to the expected state table. |
| TEE auto-unseal never works | Confirm the TEE auto-unseal blob exists and that Nitro measurements still match. |