Fireblocks announced support for Amazon Web Services (AWS) Nitro Enclaves, a significant development to enhance customer security. According to fireblocks.com, this new feature allows Fireblocks customers building their products on AWS to leverage Nitro Enclaves to run Fireblocks API Co-Signer.
Fireblocks x AWS Nitro Enclaves
Fireblocks uses API cosigners to store customers’ Multi-Party Computation (MPC) signing keys and configuration keys. Key sharing is key to MPC signing of digital asset transactions, while configuration keys authorize modifications to the Fireblocks Workspace.
By integrating AWS Nitro Enclaves, Fireblocks customers can now leverage this secure environment for API co-signers. This requires a specific deployment process. Fireblocks uses an MPC algorithm to generate and distribute private key shards, ensuring that the complete private key is never in a single location. These key shards are stored on Fireblocks servers and on the customer’s mobile device or co-signer server, either on-premises or in the public cloud, to sign transactions in an untrusted manner. This setup ensures that no single party, including Fireblocks, can be a single point of failure.
To enhance security, all operations involving these shards are performed in a secure environment such as AWS Nitro Enclaves. This ensures that sensitive data is not exposed or manipulated, whether at rest or in use. Once decrypted inside the secure Nitro Enclave, the API co-signer signs the transaction and authorizes the operation using the key sharing and configuration keys stored in the database. Private key information cannot be extracted from these enclaves, as they remain encrypted even if another party controls the server operating system.
In addition to AWS Nitro Enclaves, Fireblocks supports several secure enclaves for private key management, including Intel SGX and hardware security modules (HSMs).
Image source: Shutterstock