This guide is designed to guide you through the installation of a BitGo Express node using Docker.
It is a requirement when using CAS to access your BitGo wallets (on the BitGo website).
BitGo Express is designed and written by BitGo for their BitGo website wallets.
IMPORTANT: you will be exposing your BitGo wallets' private keys on this server. This may be a substantial security risk. Without airtight protection, your funds might be exposed. Securing your server is of paramount importance. If you proceed, you are doing so at your own risk.
Bitgo recommends configuring SSL for Bitgo Express. CAS converses within an SSH tunnel, which is far more secure than SSL - and renders SSL irrelevant in the context used by CAS.
Configuring SSL on this Bitgo Express node serves no purpose, and may actually “break” it’s usage with CAS.
BitGo: holds and secures your cryptocurrency keys.
BitGo Wallet: the hot wallet option in the Crypto Application Server (CAS).
BitGo Express: a Bitgo application, the API front end to interact with BitGo from CAS.
CAS does not directly interact with BitGo.
CAS only “talks” to Bitgo Express via the API, which then interacts with Bitgo.
This article presumes you have a bare installation of Ubuntu 24.04 LTS running on a VPS with a publicly exposed IP.
We recommend that you deploy a separate (from CAS) VPS server for this node.
These instructions are illustrated using a non-root superuser account.
“root” installation is discouraged (but possible).
We recommend Digital Ocean as your VPS provider: Create a VPS on Digital Ocean
1. Install Docker.
Install the Ubuntu dependencies:
sudo apt update && sudo apt dist-upgrade sudo apt-get install ca-certificates curl gnupg lsb-release
Install the product signatures to verify file integrity:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update
Install the latest stable version of Docker:
sudo apt-get install docker-ce docker-ce-cli containerd.io
Assuming Docker installation went as planned, this next command should succeed:
sudo docker run hello-world
Success looks like this:
2. Setup a secure tunnel for encrypted communication.
Your CAS server and this node must have a secure channel. Your passphrase (and other sensitive information) will be passed back & forth. Encrypt (and protect) communication by using a secure SSH tunnel (SSH).
The GB Wallet Tunnel is recommended.
General Bytes has incorporated an open-source SSH client into CAS.
Click here for instructions to install the GB Wallet Tunnel Server on this node.
Alternative (unsupported):
Build an SSH tunnel (instead of the GB Wallet Tunnel), see: https://generalbytes.atlassian.net/l/cp/b7j5AVHA
For those instructions, set
FORWARDED_PORT=3080The Crypto Setting host parameter will then need to be “
http://localhost”.
3. Install & run Bitgo Express.
Navigate to your home directory. The home directory is the default login directory.
Reference: https://developers.bitgo.com/guides/get-started/express/install
cd $HOME
Install the latest version of Bitgo Express locally:
sudo docker pull bitgo/express:latest
Run BitGo Express:
sudo docker run -it -p 3080:3080 bitgo/express:latest -e prod --disablessl
This is an example of a successful start:
To stop it (interrupt it), merely press Ctrl+C at this point. Do not do that yet - you still need to test it.
4. Test it.
Verify that your node is working properly by sending a command via another terminal window.
Open a new/second Terminal window/tab.
Login on on that second window (via SSH) to the same Bitgo Express node.
Type the following:
curl localhost:3080/api/v2/ping
You should see something similar to this reply:
On the first (original) window, you’ll see confirmation that the second window said “hello”:
This indicates that the server is running as expected, and is listening for commands.
You’ll also see messages from CAS as you test the Hot Wallet settings.
This is a great method to help diagnose any problems with CAS settings.
You may safely close the second window (the test window) at this point.
If anything seems to be amiss, try starting the container with the debug flag “ -D bitgo:express”:
sudo docker run -it -p 3080:3080 bitgo/express:latest -e prod --disablessl -D bitgo:express
the conversation will become slightly more verbose, perhaps more useful.
5. Ensure continuity.
BitGo Express MUST be running at all times to be available as a Hot Wallet for CAS. If the program terminates for any reason, the Hot Wallet will cease to function. If the server goes down, so does your Hot Wallet. You need the server up & Bitgo Express operating continuously for proper operation.
The best way to ensure that Bitgo Express is always running is to implement Docker’s detached mode:
sudo docker run -p 3080:3080 -d bitgo/express:latest -p 3080 -e prod --disablessl
This command is only slightly different from that in Step 3; it includes the “-d” detached mode flag.
This is an example of BitGo Express successfully started in the background (detached mode):
the cryptic reply indicates that Bitgo Express was successfully started, and assigned an identifier. That ID will vary every time - and it’s not very important unless you wish to stop the program. Normally you will only stop the program during maintenance or troubleshooting.
To stop Bitgo Express, simply re-attach the container (use the first 12 characters of the identifier):
sudo docker attach a2be980a8ef9
you can now close Bitgo Express by pressing Ctrl-C, or
watch incoming test messages from CAS (or from CURL in another window, as described above).
If you don’t know the container ID, use this command to list all Docker containers:
sudo docker ps
6. Firewall the node.
The node only needs to expose ports 22 (SSH) and 22222 (GB Wallet Tunnel).
Block off all other access to avoid having malicious actors abuse/attack your node.
UFW, or Uncomplicated FireWall, is a simplified firewall management interface. UFW is included (by default) with Ubuntu.
Check to see if UFW is already enabled and running:
sudo ufw status
If UFW is enabled and working, it will report the active rules of allowed connections to your server - otherwise you'll see something like this:
Fresh/new systems will normally be inactive (unprotected).
If it is not installed, install it now using:
sudo apt update && sudo apt install ufwIf UFW is active, then this procedure will erase that previous configuration and rewrite the rules.
Reset & deny all incoming connections by default:
sudo ufw reset
This will erase any/all previous UFW configuration.
Deny all public access to all ports:
sudo ufw default deny incoming
Now we’re left to specify the exceptions (the “rules”).
Allow incoming TCP connections on ports 22 and 22222:
sudo ufw allow 22/tcp sudo ufw allow 22222/tcp
Finally, enable & reload UFW to apply the new rules:
sudo ufw enable sudo ufw reload
If your system complied with your commands, your node should now be protected by UFW.
7. Create a new Crypto Setting for use with this node.
The “node” is now done, and you can create a new Crypto Setting to access your Bitgo wallets.
The Crypto Setting will require 2 pieces of information from the procedure you performed in this article.
The “host” is typically “http://” + the IP address of this node (e.g.
http://123.231.123.231), andthe port is “3080” (unless you changed it).
Additional references:
https://developers.bitgo.com/guides/get-started/express/install
https://hub.docker.com/r/bitgo/express/tags
More Hot Wallet & Exchange guides:
| Title | Creator | Modified | |
|---|---|---|---|
| BitGo Express via Docker | Charles Wernicke | Oct 24, 2024 | |
| Create a VPS on Digital Ocean | Charles Wernicke | Oct 24, 2024 | |
| GB Wallet Tunnel Server | Charles Wernicke | Oct 17, 2024 | |
| Lightning on Bitcoin Core (lnd) | Charles Wernicke | Sep 20, 2024 | |
| Bitcoin Core (BTC) Node for CAS | Charles Wernicke | Aug 14, 2024 | |
| Geth Ethereum Node for CAS | Charles Wernicke | Jun 24, 2024 | |
| Node Tutorial (Generic) | Charles Wernicke | Jun 24, 2024 | |
| DOGE Node for CAS | Charles Wernicke | Jun 24, 2024 | |
| Cardano Node Installation | Charles Wernicke | Jun 24, 2024 | |
| Bitcoin Cash (BCH) Node for CAS | Charles Wernicke | Jun 12, 2023 | |
| Monerod (XMR) Node for CAS | Charles Wernicke | Mar 21, 2023 | |
| DASH Core Node for CAS | Charles Wernicke | Jun 11, 2021 |