HSM Custody
In EVM-compatible blockchains, each account has a private key used to sign transactions. It's important to protect private keys when using public blockchains, since whoever has the private keys controls the blockchain account.
Permissioned blockchains offer some inherent security measures. First, the permissioned blockchain isn't publicly exposed. In addition, even if an attacker accesses a private key and sends tokens to another address, these tokens are representations of assets instead of being the assets themselves. Therefore, the tokens can be destroyed and reminted.
Raylz is compatible with any custody system capable of signing ECDSA transactions. However, HSM Custody is recommended for most use cases.
Raylz offers two types of custody systems: MPC Custody for public blockchains, and HSM Custody for permissioned blockchains.
HSM Custody is lightweight, headless, and uses high-level APIs to communicate with Raylz. HSM Custody is designed for robustness and security, offering up to 15,000 transactions per second and integration with a variety of key management services. These services can be compared below.
Integration with AWS Key Management Service (KMS) provides a secure and managed solution for creating and controlling cryptographic keys with the reliable infrastructure of Amazon Web Services.
The architecture of HSM Custody offers maximum security in cryptographic key management and flexibility in integrations. Its core components, explained below, provide an adaptable solution to private key protection.
Core Components
Central API
The core of HSM Custody is a flexible API, developed to facilitate secure communication and the execution of cryptographic operations. It is encapsulated within a Docker container, ensuring ease of deployment, isolation, and scalability across different environments.
Enclave environment
The API operates within an enclave environment, providing an additional layer of security. This environment is designed to isolate and protect the execution of code and processed data against external access, even in cases where the operating system or hypervisor may be compromised.
MongoDB integration
We have chosen MongoDB as our database management system due to its high performance, scalability, and flexibility. Its NoSQL nature allows HSM Custody to efficiently handle large volumes of data, as well as facilitate future integration and architectural expansion.
Key management service integration
The HSM Custody API can integrate with Dinamo HSM, along with the key management services mentioned in multi-cloud key management.
Dinamo HSM offers an even more secure environment through a dedicated HSM. Integration with Dinamo HSM allows HSM Custody to perform the storage and management of cryptographic keys on specialized hardware, providing an even greater level of physical and logical security.
Cryptography and key management
The process of encrypting and storing ECDSA keys is critical to HSM Custody. HSM Custody's API generates ECDSA keys with secure algorithms. When integrated with key management services, HSM Custody can encrypt and securely store those keys.
Keystore V3
Keystore V3 offers additional flexibility, allowing users to choose the key storage solution that best meets their security and compliance needs.
Last updated