Offline Signing Orchestrator (OSO)

Why Trust Techopedia

What is an Offline Signing Orchestrator (OSO)?

Offline Signing Orchestrator, also known as OSO, is an IBM cybersecurity software product that allows cryptocurrency transactions to be authorized in an offline environment before they are broadcast to an online blockchain network. The enterprise-level software allows digital assets in cold storage to be used in financial transactions without exposing private keys or needing to move assets online.


IBM developed OSO in partnership with Metaco, a digital asset custody provider owned by Ripple. Currently, the software can only be used with IBM Hyper Protect Virtual Servers built on IBM Z and LinuxONE mainframe systems.

Techopedia Explains the Offline Signing Orchestrator Meaning

Techopedia Explains the Offline Signing Orchestrator Meaning

IBM’s full name for OSO is Hyper Protect Offline Signing Orchestrator. In computing, an orchestrator is programming that automates tasks and process execution in a controlled way.

OSO was originally designed to provide air-gapped transaction signing services for Metaco’s Harmonize Platform. The audit trails that OSO provides are also helping the digital asset infrastructure provider meet regulatory requirements.

How Offline Signing Orchestrator Works

Offline Signing Orchestrator acts as an intermediary that manages communication between online and offline environments. It securely orchestrates transaction authorizations by isolating the digital signature service.

When deployed, the software will be installed on three logical partitions that are referred to as LPARs:

  • LPAR1 can access external networks and retrieve transaction data.
  • LPAR2 contains the orchestration components that handle transaction logic.
  • LPAR3 contains the offline signing service that interacts with hardware security modules (HSMs) that store and use private keys.

Each LPAR behaves as if it is a separate hardware component. Essentially, LPAR2 functions as an air gap between LPAR1 and LPAR3.

Here is a high-level view of what the transaction workflow might look like:

  1. A user triggers a cryptocurrency transaction.
  2. A frontend plug-in on LPAR1 retrieves the encrypted transaction data.
  3. The plug-in sends the data to LPAR2.
  4. LPAR2 relays the transaction data to LPAR3.
  5. The offline signing service in LPAR3 uses private keys to generate a digital signature and authorize the transaction.
  6. The signed transaction is sent back to LPAR2.
  7. LPAR2 forwards the signed transaction to LPAR1.
  8. A backend plug-in on LPAR1 transmits the signed transaction to the relevant blockchain network.

OSO Features

Offline Signing Orchestrator is designed to support policy-based workflows and authorization requirements.

Even though humans are not included in OSO operational processes, there are customizable policy enforcement points within the signing workflow that clients can use to implement multi-party authorization requirements or time-based restrictions on transactions.

Other features that can help ensure the automated signing process aligns with an organization’s security policies and regulatory compliance requirements include:

OSO Pros and Cons

Like any technology, Online Signing Orchestrator has advantages and disadvantages.

While its implementation might be ideal for assets under management (AUM) and organizations that frequently conduct cryptocurrency transactions, the cost and complexity of OSO might be overkill for organizations with low transaction volumes or simpler asset management needs.

The Impact of OSO

As digital currencies become more popular, governments are creating stricter security requirements for companies that conduct digital asset transactions. Increasingly, they are requiring that a certain percentage of the assets be stored offline in cold storage.

The introduction of OSO has been viewed as a significant step towards addressing the challenges associated with cold storage transactions. The automation that OSO provides eliminates the need for transaction administrators to physically access hardware security modules or private keys.

IBM predicts that OSO will play an important role in helping people trust digital currencies more and facilitate cryptocurrency transactions in new markets. While the average person will probably not interact directly with OSO, IBM hopes OSO’s zero trust architecture will make enterprise digital asset management (DAM) easier and lead to greater public confidence in financial transactions that involve tokenized real-world assets.

Future Implications of Offline Signing Orchestrator

OSO can help companies comply with new laws and regulations by making it easier and safer to conduct transactions with tokenized assets that are stored offline in cold storage.

As cybersecurity threats evolve, the demand for secure transaction processing solutions like OSO will likely increase. The software’s ability to automate and secure the signing process, while adhering to policy that supports regulatory requirements, positions OSO as a valuable tool for financial institutions that need to navigate the increasingly complex digital asset landscape.

In the future, it’s expected that Offline Signing Orchestrator software will be used to manage all kinds of tokenized assets, including stocks, bonds, real estate, artwork, intellectual property, central bank digital currencies (CBDCs), and government-issued digital versions of fiat money.

It’s likely that the specific use cases and legality of managing tokenized assets with OSO will depend on evolving regulations in different jurisdictions.

The Bottom Line

Offline Signing Orchestrator (OSO) makes it possible to authorize cryptocurrency transactions in an environment that is not connected to the Internet. The software automates the retrieval of encrypted transactions, their delivery to an offline signing service, and the return of signed transactions for broadcast to an online blockchain.


What is an offline signing orchestrator in simple terms?

How does OSO ensure security?

What is the difference between Offline Signing Orchestrator and traditional offline solutions?


Related Questions

Related Terms

Margaret Rouse
Senior Editor
Margaret Rouse
Senior Editor

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.