Overview of Blockchain Wallets
-
Different Types of Blockchain Wallets:
- Custodial Wallets: Managed by third-party companies (e.g., Binance, Coinbase) that handle security and recoverability. Suitable for staking, trading, and investment.
- Non-Custodial Wallets: User-controlled wallets (e.g., MetaMask, Ledger, Safe Global). Optimize user control and ownership, but require managing keys and recoverability.
- Smart Wallets/Programmable Wallets: Managed by a company through a customizable smart contract. Can solve user experience issues and provide features like social logins and multi-factor authentication.
-
Institutional Grade Wallets:
- Hot Wallets: Wallets with programmatic access, usually with HSM-based security. Used for staking, settlement, and online custody.
- Warm Wallets: Similar to hot wallets, but require additional human approval for transactions, often using advanced crypto algorithms like MPC/TSS.
- Cold Wallets: Fully offline wallets, usually using offline HSMs. Provide the highest degree of security and are suitable for offline custody.
Building Blockchain Wallets on AWS
-
Core Building Blocks:
- Secure and robust Key Management Service (AWS KMS, Cloud HSM, or Secrets Manager)
- Fine-grained access management (AWS IAM, CloudTrail)
- Efficient compute layer (Lambda, EC2, Nitro Enclaves)
- Advanced monitoring and logging (Amazon CloudWatch)
- Low-latency APIs (Cluster Placement Groups, Enhanced Networking)
-
Example Implementations:
- Hot Wallet: KMS-based, serverless solution using Lambda.
- Cold Wallet: Cloud HSM-based, offline solution accessed through a dedicated EC2 instance.
Nitro Enclaves for Blockchain Wallets
- Nitro Enclaves provide strong isolation, security, and flexibility for blockchain wallets.
- Enclaves can run their own encryption keys and use cryptographic attestation to prove their identity.
- Allows secure processing of private keys within the enclave, without exposing them to the parent EC2 instance or external entities.
- Enables cost-efficient, large-scale key management operations.
FireBlocks' Approach
- FireBlocks uses Nitro Enclaves to securely host their MPC (Multi-Party Computation) cosigners.
- The customer sets up an S3 bucket, EC2 instance with Nitro Enclave, and a KMS key. FireBlocks' provided image attests to the KMS key and can decrypt the encrypted MPC shard stored in S3.
- This setup allows for a flexible, secure, and rapid development process, while maintaining a high level of trust in the build process.