generated from Consensys/doc.ethsigner
-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
50d997d
commit 534c0c1
Showing
1 changed file
with
85 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,90 @@ | ||
| --- | ||
| title: Private Key Management Best Practices | ||
| description: Apply best practices to keep keys and Web3Signer secure. | ||
| sidebar_position: 5 | ||
| --- | ||
|
|
||
| When running Web3Signer, there are several best practices to be aware of for proper key management. | ||
|
|
||
| - Generate secure BLS keys | ||
| - Store keys in a vault or HSM - Ideally this should be encrypted which can’t be done right now | ||
| - Use environment authentication rather than password and token authentication where possible with vaults or HSMs | ||
| - Only expose the validator signing API on the necessary network interface | ||
| - Enable TLS authentication between the validator client and web3signer | ||
| - Restrict host access to Web3Signer with `--http-host-allowlist` | ||
| - Disable the key manager API | ||
| - Alternatively, restrict access to the API entirely | ||
| - Configure the Postgres database with TLS authentication | ||
| - Restrict access to the key config, limiting read access to Web3Signer | ||
| - Run web3signer in a secure enclave e.g. https://aws.amazon.com/blogs/database/aws-nitro-enclaves-for-running-ethereum-validators-part-2 | ||
| # Private key management best practices | ||
|
|
||
| Web3Signer manages validator keys for Ethereum 2.0 staking. | ||
| This document outlines best practices for key generation, storage, access control, and system security when using Web3Signer. | ||
| The following guidelines help protect your staked assets and supports Ethereum network integrity. | ||
|
|
||
| ## 1. Generate secure BLS keys | ||
|
|
||
| - Use cryptographically secure random number generators for key generation. | ||
| - Implement key derivation functions (KDFs) to strengthen key material. | ||
| - Consider using hardware security modules (HSMs) for key generation to ensure physical security. | ||
| - Implement proper key rotation policies to limit the impact of potential key compromises. | ||
|
|
||
| ## 2. Store keys in a vault or HSM | ||
|
|
||
| - Use dedicated key management solutions like HashiCorp Vault or AWS Key Management Service (KMS). | ||
| - Implement encryption for keys at rest and in transit. | ||
|
|
||
| :::note | ||
|
|
||
| Currently, Web3Signer doesn't support direct encryption of keys in storage. This is a known limitation that should be addressed in future updates. | ||
|
|
||
| ::: | ||
|
|
||
| - Use hardware security modules (HSMs) for the highest level of key protection, ensuring keys never leave the secure hardware. | ||
|
|
||
| ## 3. Use environment authentication for vaults or HSMs | ||
|
|
||
| - Leverage environment variables for authentication credentials instead of hardcoding them. | ||
| - Implement IAM roles and policies for cloud-based solutions, for example AWS IAM roles for EC2 instances. | ||
| - Use Kubernetes secrets or similar container orchestration tools for managing environment variables securely. | ||
| - Regularly rotate authentication credentials and limit their scope to the minimum required permissions. | ||
|
|
||
| ## 4. Expose validator signing API on necessary network interfaces only | ||
|
|
||
| - Configure Web3Signer to bind only to specific IP addresses or network interfaces | ||
| - Use firewalls or security groups to restrict inbound traffic to the signing API | ||
| - Implement network segmentation to isolate the signing service from other components | ||
| - Consider using a reverse proxy to add an additional layer of security and control | ||
|
|
||
| ## 5. Enable TLS authentication between validator client and Web3Signer | ||
|
|
||
| - Generate and use strong SSL/TLS certificates for all communications | ||
| - Implement mutual TLS (mTLS) for bidirectional authentication | ||
| - Regularly update and rotate TLS certificates | ||
| - Configure proper cipher suites and TLS versions to ensure strong encryption | ||
|
|
||
| ## 6. Restrict host access with `--http-host-allowlist` | ||
|
|
||
| - Use the `--http-host-allowlist` flag to specify which hostnames are allowed to access the Web3Signer API. | ||
| - Regularly review and update the allowlist to maintain tight access control. | ||
| - Implement additional network-level access controls to complement this feature. | ||
| - Monitor and log all access attempts, especially those from non-allowlisted hosts. | ||
|
|
||
| ## 7. Disable the key manager API or restrict access | ||
|
|
||
| - If the key manager API is not needed, disable it completely using the appropriate configuration option. | ||
| - If required, implement strict access controls for the key manager API: | ||
| - Use IP whitelisting. | ||
| - Implement strong authentication mechanisms, for example API keys and OAuth. | ||
| - Apply rate limiting to prevent overuse. | ||
| - Regularly audit access logs for the key manager API. | ||
|
|
||
| ## 8. Configure Postgres database with TLS authentication | ||
|
|
||
| - Enable SSL/TLS for all database connections. | ||
| - Use strong, unique client certificates for each Web3Signer instance. | ||
| - Implement proper certificate validation on both client and server sides. | ||
| - Regularly rotate database credentials and certificates. | ||
| - Consider using tools like pgBouncer with TLS support for connection pooling and additional security. | ||
|
|
||
| ## 9. Restrict access to the key config | ||
|
|
||
| - Implement file system-level permissions to limit read access to only Web3Signer. | ||
| - Use encrypted file systems or volume-level encryption for additional protection. | ||
| - Implement audit logging for all access attempts to key configuration files. | ||
| - Consider using a secrets management solution to dynamically provide key configurations to Web3Signer. | ||
|
|
||
| ## 10. Run Web3Signer in a secure enclave | ||
|
|
||
| - Use AWS Nitro Enclaves or similar secure computing environments. | ||
| - Implement attestation mechanisms to verify the integrity of the enclave. | ||
| - Use encrypted communication channels between the enclave and other components. | ||
| - Regularly update and patch the enclave environment to address security vulnerabilities. | ||
| - Implement proper logging and monitoring solutions that respect the enclave's security boundaries. |