Glossary.

An active set is the limited group of validators that a proof-of-stake chain accepts to produce blocks and finalise consensus at any given time. Most chains rank validators by total stake delegated and admit only the top N — the ‘active set size’.

The cutoff matters because validators below it earn no rewards and contribute nothing to delegators’ yields. Cosmos Hub, for example, has 200 active slots; Celestia has 100. Falling out of the active set is operationally identical to going offline from a delegator’s perspective.

Operators above the cutoff differentiate on commission, uptime, and governance participation. Operators near the cutoff differentiate on whether they can stay in.

APR on a proof-of-stake chain is the projected yearly return earned by a delegator’s stake, given the network’s current inflation rate, total tokens staked, and the validator’s commission. APR is a snapshot — it changes as the staked supply or inflation parameters change.

APR differs from APY (Annual Percentage Yield) in that APR does not assume compounding. Most PoS chains let you claim rewards at any time and either spend or restake them, so practical yield can exceed the headline APR if you compound regularly.

Two important caveats: (1) APR is denominated in the network’s native token, so token-price volatility can produce a positive APR with a negative fiat return, and (2) commission is subtracted from the gross APR, so the rate you actually earn depends on your validator’s commission setting.

An Autonomous System Number identifies an organisation that operates its own block of IP addresses and announces routing policy via the Border Gateway Protocol (BGP) on the global internet. Operators with their own ASN make their own routing decisions instead of being a leaf customer of a single provider.

For validator infrastructure, owning an ASN matters because it signals network sovereignty: routes are announced under your control, peering agreements are direct, and you are not subject to the routing policy or outage profile of a parent network. Cloud-hosted validators share an ASN with everyone else on that cloud.

01node operates AS41536 with three IPv4 prefixes — 195.14.16.0/24, 193.222.57.0/24, 91.198.59.0/24 — verifiable on RIPE NCC and bgp.tools.

An attestation is a validator’s cryptographically signed declaration that a particular block is valid and should be considered finalised. On Ethereum, every active validator is expected to attest in every epoch (32 slots, ~6.4 minutes); missed attestations reduce validator rewards.

Aggregate attestations from many validators determine whether a block is ‘finalised’ — economically irreversible without slashing a supermajority of stake. Networks with high attestation participation finalise blocks quickly and securely; networks with poor participation experience finality lag.

Operationally, attestation reliability is the single most important quality metric for an Ethereum validator. Vote credit completion percentages and missed-attestation counts are tracked in real time by network monitors.

An Actively Validated Service is a system that pays validators (via restaked tokens) for performing computation, attestation, or oracle work outside the underlying L1’s consensus. Examples include data availability layers, oracle networks, bridges, and decentralised sequencers built on EigenLayer.

AVS operators commit to a slashing condition: if they misbehave on the AVS, their restaked tokens (typically restaked ETH) can be reduced. This makes AVS security extend the underlying L1’s economic guarantees to a new service.

From an operator perspective, AVS participation is real revenue but real risk too. The slashing surface expands beyond your base-layer chain; misbehaviour on a service you have restaked to can cost your underlying ETH stake.

BGP is the routing protocol that connects autonomous systems on the internet. Each AS announces which IP prefixes it can reach, and BGP propagates these announcements globally so traffic can find its destination.

For infrastructure operators, BGP control means deciding which upstream networks to peer with, how to weight inbound vs outbound paths, and how to react to network-level incidents. Cloud-hosted servers don’t make BGP decisions — they inherit whatever the cloud provider configures.

01node operates BGP under AS41536 with multiple tier-1 carrier upstreams. Direct peering reduces hop count to consensus peers and oracle endpoints, which materially affects latency-sensitive workloads like Chainlink oracle reports and fast-finality block production.

Validator commission is the share of staking rewards retained by the validator operator, expressed as a percentage. If a chain pays 10% inflation and the validator’s commission is 5%, delegators receive 9.5% effective yield (10% × (1 - 0.05)) and the validator keeps 0.5% of the gross reward.

Commission rates are set by the validator and are typically changeable on-chain with a notice period (24 hours on Cosmos chains). Always verify the current rate in your wallet before signing a delegation.

Pricing dynamics: 0% commission is usually unsustainable (subsidised by VC funding or self-stake; eventually rises). 5-10% is common for established institutional operators. >15% on a competitive chain typically means a niche operator with a different value proposition (compliance, custody integration).

Custody is the function of holding the private keys (and therefore the tokens) of someone else’s digital assets. Regulated custodians — Fireblocks, Copper, BitGo, Anchorage, Zodia, and others — provide this service under licences and operational frameworks acceptable to traditional finance.

Validators are not custodians. Delegating to a validator does not transfer custody: tokens stay in your wallet (or your custodian’s custody), and you sign delegation messages with your own keys. The validator only signs network messages on your behalf.

For institutional clients, the custodian is typically the gating relationship — operators integrate with the custodian’s infrastructure to make staking workflows compatible. 01node integrates with the major custodians for enterprise engagements.

A DDoS attack floods a target — a server, an IP, an application — with traffic from many distributed sources, with the goal of exhausting bandwidth, CPU, or connection limits. Validator infrastructure is a frequent target during chain incidents because taking validators offline can affect consensus and rewards.

Mitigation works at multiple layers: edge scrubbing at the carrier (Layer 3/4 volumetric attacks), application-layer filtering (Layer 7), and topology design that hides signing infrastructure behind sentries that absorb public-facing traffic.

01node operates 140 Gbps of upstream DDoS mitigation at the facility boundary, complemented by a 3-6 sentry topology per network and VPN-only access to all signing nodes.

Delegation is the mechanism by which a token holder assigns their stake to a validator’s consensus authority while retaining custody of the tokens. The validator earns rewards proportional to its delegated stake (minus commission) and can be slashed for misbehaviour, but cannot move or sell the delegator’s tokens.

Delegation is reversible: undelegating starts an unbonding period (typically 14-28 days on Cosmos chains, ~24 hours on Sui, epoch-bounded on Solana), after which the tokens become fully liquid in the wallet again.

Delegators are responsible for choosing operators they trust. Slashing on a misbehaving validator reduces all delegators’ stake proportionally. Diversifying across operators is a common risk-management practice for large delegators.

A Data Processing Agreement is the EU GDPR-mandated contract between a data controller (the client) and a data processor (the vendor) that defines categories of data, processing purposes, retention, security obligations, sub-processors, and international transfer mechanisms.

For validator operators, DPAs come into play in enterprise engagements where the operator processes personal data — typically employee or end-customer information related to the integration. For pure delegation flows, the operator processes very little personal data, and DPAs are correspondingly thin.

01node provides a DPA template as part of the enterprise onboarding pack, alongside the MSA and SLA documents.

Distributed Validator Technology splits a single validator’s key and operations across multiple independent operators using threshold cryptography. A signature is produced only when a quorum (e.g., 3 of 4) of operators agree; no single operator holds the full key, and no single operator can sign alone.

On Ethereum, two production DVT implementations are widely used: Obol Network and SSV Network. Both let multiple operators co-run a validator, distributing slashing-protection responsibility across the cluster and removing single-operator failure modes.

Lido’s Simple DVT Module is the largest deployment of DVT in production. 01node is a signed Node Operator in five Lido Simple DVT clusters — four with Obol, one with SSV.

EigenLayer is a protocol on Ethereum that enables staked ETH to be ‘restaked’ — committed to additional slashing conditions on top of Ethereum’s native consensus. This extends ETH’s economic security to other services (data availability, oracle networks, bridges, AVSs).

Restakers earn additional rewards from the services they secure but accept additional slashing surface. Misbehaviour on a service you have opted into can result in your underlying ETH being slashed, even if you have not double-signed on the Ethereum base layer.

Operationally, EigenLayer participation requires careful AVS selection and monitoring per service. Treating it as ‘free yield’ mispricing the slashing exposure.

FIDO2 (Fast IDentity Online 2) and the closely-related WebAuthn standard provide hardware-backed multi-factor authentication using public-key cryptography. A user authenticates by demonstrating possession of a hardware authenticator (YubiKey, Touch ID, Windows Hello) that signs a challenge from the relying party.

Unlike SMS or TOTP-based 2FA, FIDO2 is phishing-resistant: the authenticator binds the signature to the origin of the request, so credentials cannot be replayed against a different domain. This eliminates the most common credential-theft attack vectors.

01node uses FIDO2 / WebAuthn as the only permitted authentication for administrative systems. SMS-based 2FA is explicitly disallowed across the entire ops pipeline.

A Finality Provider is the role on Babylon Network that produces cryptographic finality signatures on Babylon Secured Networks (BSNs). When a BSN produces a block, Finality Providers — weighted by their delegated BTC stake and BBN stake — attest to its finality. This turns Bitcoin stake into security for the connected chain.

Finality Providers carry slashing risk on both chains: misbehaviour can slash BBN stake delegated to them and affect the BTC delegations through the covenant-based staking script.

01node has been an approved Finality Provider on Babylon since the Cap-2 onboarding cohort, with continuous active participation through subsequent caps.

The General Data Protection Regulation is the EU’s data-protection framework. It governs how organisations collect, process, store, and transfer personal data of EU residents. Key obligations include lawful basis for processing, data subject rights (access, deletion, portability), breach notification within 72 hours, and contractual requirements for vendors (DPAs).

For validator operators, GDPR is most relevant in two areas: (1) personal data collected from website visitors and prospects, and (2) personal data processed on behalf of enterprise clients under an MSA.

01node operates from Romania (EU) under GDPR. Our privacy policy documents the lawful bases, data categories, retention, and rights process.

A genesis validator is one of the operators included in the initial validator set when a blockchain’s mainnet first goes live. Genesis-era operators are typically vetted by the protocol foundation and are expected to be technically and operationally ready from block zero.

Genesis status carries reputational weight because it implies the operator was selected before any production track record could be observed — the foundation chose them based on prior credibility. It also means the operator has the longest possible track record on that chain.

01node is a genesis validator on Cosmos Hub (March 2019), SKALE (September 2020), and an early validator on multiple subsequent chains.

Horcrux is a threshold-signing system for Cosmos-ecosystem validators that splits a validator’s key across multiple signer instances. A signature is produced only when a quorum of signers agree (typically 2 of 3), removing single-node failure as a route to slashing.

Horcrux operates in front of HSM key custody: the threshold signers compute partial signatures using key shards, and the partial signatures combine into a valid full signature without ever reconstructing the full key in any single process.

01node runs Horcrux 2-of-3 threshold signers across Cosmos-ecosystem chains. The architecture is described in ‘Why a Validator Is Not a Server’.

A Hardware Security Module is a physical device — a chip, USB device, or rack-mount appliance — that stores cryptographic keys and performs signing operations in tamper-resistant silicon. Keys never leave the HSM; signing requests are submitted, the device signs internally, and only the signature is returned.

HSMs are the gold standard for key custody in regulated industries (banking, certificate authorities, government). For validator operators, HSM-backed signing keys eliminate the entire class of attacks that depend on memory exfiltration or disk theft.

01node has used YubiHSM 2 hardware security modules since June 2019 — dual-DC primary + hot backup, documented publicly from day one.

Inter-Blockchain Communication is the Cosmos ecosystem’s standard for trust-minimised message-passing between independent chains. IBC lets a Cosmos chain transfer tokens, query state, or send arbitrary messages to another Cosmos chain via a relayer that submits proofs of source-chain state to the destination.

IBC enables interchain DeFi, cross-chain governance, and Interchain Security (ICS), in which the Cosmos Hub provides shared security to consumer chains.

Validator infrastructure can be involved in IBC operationally as relayers — the operators who relay packets between chains. 01node operates IBC relayer infrastructure for the chains we validate.

Interchain Security is a mechanism through which the Cosmos Hub’s validator set provides shared security to ‘consumer chains’ — independent Cosmos chains that opt to be secured by Hub validators rather than building their own. ATOM staked at the Hub secures both consensus.

Consumer chains under ICS pay rewards (in their native token) to ATOM stakers and validators that participate. Examples include Neutron and Stride. From a delegator’s perspective, staking ATOM at the Hub now means earning rewards from multiple chains simultaneously.

Operationally, ICS requires validators to run additional infrastructure for each consumer chain. 01node participates in all live ICS consumer chains.

Inflation in proof-of-stake networks is the rate at which new tokens are minted by the protocol, typically distributed to validators (and through them to delegators) as staking rewards. Inflation rates range from <1% on mature chains (Ethereum post-merge) to 20%+ on incentive-heavy newer chains.

Inflation is the primary input to APR. A 10% inflation rate combined with 50% of the supply staked produces a base APR around 20% before commission. Most chains adjust inflation via on-chain governance or programmatic targets (e.g., a target staking ratio).

Real yield (inflation-adjusted return) is what matters economically — a 30% APR on a chain with 30% inflation produces zero real yield in token terms.

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Certification requires implementation of a documented risk-based management framework covering policies, controls, and continuous improvement. Annual surveillance audits maintain certification.

ISO 27001 maps a majority of the SOC 2 Security common criteria, making it a useful precursor for SOC 2 Type II preparation. For validator operators, ISO 27001 is now the table-stakes compliance certification expected by enterprise counterparties.

01node is ISO 27001 certified.

A key ceremony is a documented, dual-controlled procedure for generating cryptographic keys (or shards), with witness participation, video recording, and counter-signed logs. The ceremony exists because key generation is the most catastrophic point in a cryptographic system: a leak there compromises everything that follows.

Modern ceremonies generate keys directly inside HSMs, never exporting the private material. Splits across multiple HSMs (for threshold signing or DVT) are computed without the full key existing in any single memory space at any time.

01node operates documented key ceremonies for every signing key, with rotation events logged and counter-signed.

Maximal Extractable Value is the additional revenue available to a block producer beyond standard transaction fees, captured by reordering, including, or excluding specific transactions. MEV exists on most public blockchains; the magnitude varies by ecosystem.

On Ethereum, MEV-Boost lets validators auction their block-construction rights to specialised builders, with the validator receiving the bid. On Solana, Jito-based vote validators capture MEV via auction tips.

MEV participation is real revenue but ethically contested in some configurations (sandwich attacks, frontrunning). Operators publish their relay or builder selection as an alignment signal.

Markets in Crypto-Assets (MiCA) is the EU’s comprehensive regulatory framework for crypto-asset issuers and service providers. Full enforcement begins July 1, 2026. CASP (Crypto-Asset Service Provider) authorisation is required to provide certain services to EU clients.

For validator operators, MiCA implications depend on how the service is structured. Pure delegation services are typically not in scope, but custody, exchange, or advisory services within the operator’s offering may be.

01node tracks MiCA via the CASP authorisation roadmap as part of the 2026-2027 compliance plan.

A Master Service Agreement is the framework contract between a vendor and a client that governs the relationship over time. MSAs typically include pricing structure, SLAs, payment terms, IP rights, confidentiality, indemnification, jurisdiction, and termination clauses. Specific work is then ordered under the MSA via Statements of Work (SOWs).

For validator operators, the MSA governs enterprise client engagements: dedicated infrastructure, custody integrations, reporting, named support. MSAs are typically multi-year by default with break clauses.

01node provides an MSA template to enterprise clients during onboarding (step 03 of the 5-step flow).

Obol Network is a production-grade Distributed Validator Technology implementation for Ethereum. It uses the Charon middleware to coordinate threshold signing across multiple operators in a cluster, with no single operator able to sign alone.

Obol clusters are used in production by Lido’s Simple DVT Module and other liquid-staking protocols. Operators participate in clusters of 4 or 7 (3-of-4 or 4-of-7 threshold), with signing performed only when a quorum cooperates.

01node operates four Obol-based DVT clusters within Lido’s Simple DVT Module: Bountiful Bison, Quixotic Quail, Unfettered Urial, and Ethereal Elf.

Pretty Good Privacy (and the corresponding RFC 4880-bis OpenPGP standard) is a public-key cryptography system for encrypting and signing messages, files, and communications. PGP keys are widely used for secure email, security disclosures, and software signing.

For security disclosure programmes, publishing a PGP key tells researchers they can submit sensitive vulnerability details encrypted end-to-end. The receiving party can also sign their own communications to prove provenance.

01node publishes a PGP key for [email protected] at /pgp/secops.asc with fingerprint EF56 2C83 CB98 107A 0593 957D 6F17 3EC4 7C60 8408.

Proof of History is a verifiable delay function that produces a cryptographic record of time elapsed between events. Solana uses PoH to establish a sequence of transactions before consensus runs, enabling sub-second block times and high throughput.

PoH does not replace proof-of-stake consensus on Solana — it complements it. Validators still vote on blocks, but PoH eliminates the need to coordinate a global clock during consensus, removing a major source of latency.

Operationally, Solana validators with low single-thread CPU latency and high bandwidth perform best because PoH and the Turbine block-propagation protocol both reward fast, well-peered hosts.

Proof of Stake is a consensus mechanism in which validators are selected to produce blocks proportional to the tokens they have staked. Misbehaviour (double-signing, extended downtime) results in slashing — a portion of staked tokens being burned or redistributed.

PoS replaced Proof of Work as the dominant consensus mechanism in the post-2020 generation of blockchains. It is materially more energy-efficient, but introduces different attack surfaces (long-range attacks, validator centralisation, MEV).

All chains 01node validates use Proof of Stake or a variant (delegated PoS, Tendermint BFT, Solana’s PoS+PoH hybrid).

Restaking is the practice of committing already-staked tokens to additional slashing conditions on top of their base-layer staking. The original stake continues to earn base-layer rewards; the restake earns additional rewards from the secured services in exchange for additional slashing risk.

EigenLayer on Ethereum is the largest restaking protocol. Babylon enables restaking-equivalent BTC delegation to BSN security. Several Cosmos chains have similar mechanisms in development.

Restaking is genuinely additive yield with genuinely additive risk. Treating it as ‘free yield’ mispricing the slashing exposure.

RPC is the protocol that lets applications query blockchain state and submit transactions to nodes over the network. Most chains expose JSON-RPC (HTTP POST) and gRPC (HTTP/2 binary) interfaces; Ethereum-family chains use a standard EVM JSON-RPC namespace.

Validator operators commonly run RPC nodes alongside their consensus nodes, both for internal use (relayer infrastructure, monitoring) and for external clients. Public RPC endpoints are typically rate-limited; dedicated endpoints for enterprise clients are contracted under SLA.

01node operates public Sui RPC at sui.01.ro (GraphQL + gRPC). Other chain RPC tiers are available to enterprise clients — contact for access.

A sentry node is a full node that participates in a chain’s peer-to-peer network on behalf of a validator, but does not hold signing keys. Sentries handle public traffic (incoming peers, RPC requests) and propagate consensus messages to and from the validator’s signing infrastructure, which is hidden from the public network.

Sentry topology — typically 3 to 6 sentries per network — is a defence-in-depth pattern: an attacker who finds and overloads a sentry has not reached the signing infrastructure, and traffic can be rerouted to other sentries while the affected one is replaced.

01node has run sentry topology since 2019, documented in the original validator-setup post.

Slashing is the protocol-level penalty that proof-of-stake networks apply when a validator misbehaves. The two most common slashable offences are double-signing (signing two conflicting blocks at the same height) and extended downtime (failing to attest or produce blocks for an extended window).

Slashing severity varies by chain. Cosmos chains typically slash 5% for double-sign and 0.01% for downtime. Ethereum slashes between 1 and 32 ETH per validator depending on the offence and how many other validators were slashed simultaneously.

Both the validator’s self-stake and the delegators’ delegated stake are slashed proportionally. This makes operator selection materially more important than ‘cheapest commission’ — a slashing event costs delegators directly. 01node has zero slashing events across 6 years and 40+ mainnets.

Slashing protection is the set of operational and cryptographic mechanisms that prevent a validator from producing a slashable signature even under conditions that might otherwise cause one (state desyncs, network partitions, software bugs).

Modern protection happens at multiple layers: (1) threshold signing (Horcrux, DVT) prevents single-host compromise from producing valid signatures, (2) slashing-protection databases (Web3Signer, Lighthouse-doppelganger) check every requested signature against history before releasing it, and (3) HSM-level constraints prevent reuse of nonces in deterministic signing schemes.

An operator without all three layers is one bug or one network partition away from a slashing event.

SOC 2 (System and Organization Controls 2) is an audit report issued under AICPA standards attesting to a service organisation’s controls over security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports come in two flavours: Type I (point-in-time control design) and Type II (control operating effectiveness over a 6-12 month observation window).

Type II is the institutional bar. The observation window is a pure-time investment that cannot be compressed; from auditor engagement to a Type II report typically takes 12-18 months.

01node’s SOC 2 Type II is on the 2026-2027 compliance roadmap. Existing ISO 27001 certification maps a majority of the SOC 2 Security common criteria, materially reducing the gap.

SSV Network is a Distributed Validator Technology implementation for Ethereum, designed to operate as a permissionless network of operators rather than coordinated clusters. Validators choose 4 or 7 operators from the network; a 3-of-4 or 4-of-7 quorum is required to sign.

Like Obol, SSV operates threshold signing in front of HSM-backed keys. Lido’s Simple DVT Module includes SSV-based clusters alongside Obol clusters.

01node was a Launch Partner with SSV Network during its permissioned phase, achieving 99.78% uptime in the first 30 days. We currently operate one SSV-based cluster within Lido Simple DVT — Resilient Rabbit.

Threshold signing is a cryptographic scheme in which a signature is produced only when a quorum (e.g., 2 of 3, 3 of 4) of independent parties cooperate. Each party holds a shard of the key; partial signatures are combined into a valid full signature without ever reconstructing the full key.

Threshold signing is the foundation of both DVT (across multiple operators) and intra-operator signing systems like Horcrux (across machines a single operator controls). Either way, the security property is the same: no single host or party can sign alone.

Threshold signing complements rather than replaces HSM key custody. The HSM still protects each shard; the threshold layer ensures no single shard compromise produces a slashing event.

Unbonding is the period during which previously-staked tokens are locked after a delegator initiates an undelegation. During unbonding, tokens earn no rewards and cannot be transferred, sold, or re-delegated. Once unbonding completes, tokens are liquid in the wallet again.

Unbonding periods vary widely: Cosmos chains typically lock for 14-28 days (Cosmos Hub: 21 days, Celestia: 21 days). Solana stake deactivates over an epoch boundary (~2-3 days). Sui unbonds at the next epoch (~24 hours).

Unbonding exists to give the network time to detect and slash misbehaviour even from validators who are exiting; without it, a misbehaving validator could undelegate before slashing reaches them.

A validator is the operator role in proof-of-stake networks: a node (or, in modern architectures, a cluster of nodes) that produces blocks during its assigned slots, attests to consensus on other validators’ blocks, and is subject to slashing for misbehaviour. Validators earn protocol rewards proportional to their stake.

The term ‘validator’ means both the operator (the organisation, like 01node) and the on-chain entity (the registered address that signs blocks). One operator typically runs many validator entities across multiple chains.

Validator infrastructure has shifted from single-node setups to clusters with threshold signing, DVT, and remote signers — see ‘Why a Validator Is Not a Server’ for the architecture transition.

Vote credit is the Solana metric that measures how reliably a validator participates in consensus. Each correctly-attested block earns the validator a vote credit; missed votes earn nothing. Inflation rewards distributed at the end of each epoch are weighted by vote credit completion.

A validator with 99.99% vote credit completion delivers materially more rewards to delegators than one at 96%, even at identical commission rates. Vote credit is the closest Solana equivalent to slashing — Solana doesn’t financially slash for normal misbehaviour, but vote credit attrition is the operational equivalent.

01node optimises for vote credit reliability via dedicated TPU peering, redundant gossip paths, and sub-second monitoring.

Web3Signer is a remote signing service for Ethereum validator clients. The signer holds the validator key and exposes a signing API; validator clients submit signing requests over the network, never having direct access to the key.

Web3Signer’s critical feature is the slashing-protection database — a persistent record of every block, attestation, and committee vote it has signed. Before producing any new signature, Web3Signer checks the database to ensure the request would not duplicate or contradict prior signatures. This prevents double-signing even after restarts, state desyncs, or network partitions.

01node runs Web3Signer in production behind YubiHSM-backed key custody for our Ethereum validators.

WebAuthn is the W3C standard that enables websites to authenticate users using hardware security keys (FIDO2 authenticators, Touch ID, Windows Hello) instead of passwords or shared secrets. The user demonstrates possession of an authenticator that cryptographically signs a challenge bound to the website’s origin.

Because the signature is bound to the origin, a phished site cannot reuse the credential. This makes WebAuthn the strongest available defence against credential theft and remote account takeover.

01node uses WebAuthn / FIDO2 as the only permitted authentication for administrative systems.

YubiHSM is a hardware security module produced by Yubico. The YubiHSM 2 is a USB-attached device that stores cryptographic keys in tamper-resistant silicon and performs signing operations internally; keys cannot be extracted.

YubiHSM is widely used by certificate authorities, financial institutions, and infrastructure operators that need a hardware key boundary without the cost or complexity of a rack-mount HSM.

01node has used YubiHSM 2 dual-DC primary + hot backup since June 2019. The architecture is documented publicly from that date — see the founding Medium post linked from /security.