Overview

1/1

Cryptocurrency wallets and other online services are vulnerable to private key theft and misuse. Blockdaemon Builder Vault™ is an institutional-grade, self-hosted, virtual key management and protection system. It allows developers to build applications that are protected against private key vulnerabilities and provides multiparty control using secure multi-party computation (MPC).

Builder Vault is application agnostic, supporting verifiable digital signatures and encryption services using public key cryptography (PKC) with popular primitives based on ECDSA, Schnoor/EdDSA, RSA, HMAC and more for virtually any online or offline service.

How MPC Key Management Works MPC is a specialized subfield of cryptography that generates, stores, and uses private keys in the form of distributed key shares, each controlled by a different party (application or person). A critical benefit of MPC is that these shares are never combined to create a complete private key. Therefore a complete key is never known to any single machine or controlled by any single party which could become compromised or maliciously use the private key for illicit purposes.

How Builder Vault Works Builder Vault uses Blockdaemon's Advanced MPC™ technology, which is hosted on AWS Nitro, to create a virtual key management and protection system called a Threshold Security Module (TSM). Think of a TSM as a virtual hardware security module (HSM) and key management system that exists in a distributed form across multiple nodes, with each node controlled by a different party. The parties must collaborate for the nodes to collectively generate, store, and use private keys in the form of distributed key shares. Similar to a HSM, messages to be signed or ciphertext to be decrypted are sent into the virtual TSM where they are signed or decrypted. The private keys never leave their secure virtual TSM, which is hosted in AWS Nitro.

At the application level, it appears as if a single party with a single key is performing the cryptographic services. These MPC attributes allow Builder Vault to dramatically improve the security of private keys and cryptographically enforce multiparty approvals, while appearing as a standard single key service to applications.

Builder Vault requires a minimum of two parties, which use two TSM nodes. This minimum configuration supports a 2 of 2 operational model, where both parties must participate to provide a cryptographic operation. If more parties are desired, simply add more nodes. A third node can support a 2 of 3 model, or a 3 of 3 model. Additional nodes support additional “m” (minimum) of “n” (total number of nodes) models.

Application SDKs Each TSM node can be accessed and controlled using a Builder Vault SDK. SDKs are available supporting server nodes (in AWS) and mobile nodes (for mobile phone applications - contact Blockdaemon for details). SDKs are available in Go (golang), Node.js, Java, as well as mobile endpoints for iOS and Android.

Builder Vault TSM Package Nodes that constitute a TSM are available in two CloudFormation templates. A minimum of a TSM Core template is required to configure a 2 node TSM, supporting a 2 of 2 threshold model. Additional nodes may be added to the TSM using the TSM Node template (up to 5 nodes total) to support other m of n threshold models such as 2 of 3, 3 of 3, 3 of 5 and others. Each package includes support for up to 75,000 public/private key pairs.

The TSM Core Template includes two MPC nodes hosted in AWS Nitro to form a 2 of 2 TSM.

The TSM Node Template provides the option to add additional TSM nodes to a TSM Core template to support larger m of n TSM models.

Highlights

Secure MPC-based key management and protection with multiparty control for cryptographic signing and encryption services
Common use cases include virtual Hardware Security Modules (vHSM), custodial and non-custodial digital asset / Web3 wallets, specialty enterpise key mangement applications.
For custom orders through private offers or to speak with our team directly, please contact us at support@blockdaemon.com.

Details

Sold by

Blockdaemon

Pricing

Free trial

Try for free

Try this product at no cost for 30 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.

Blockdaemon Builder Vault Secure MPC Key Management

Info

View purchase options

Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covering your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.

Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.

Region

Usage costs (6)

Info

Instance type	Product cost/hour	EC2 cost/hour	Total/hour
m6i.xlarge	$2.28	$0.192	$2.472
m6i.2xlarge	$2.28	$0.384	$2.664
r6i.xlarge	$2.28	$0.252	$2.532
r6i.2xlarge	$2.28	$0.504	$2.784
c6i.xlarge	$2.28	$0.17	$2.45
c6i.2xlarge	$2.28	$0.34	$2.62

Vendor refund policy

Blockdaemon does not offer refunds for Builder Vault and the licensing agreement contains all of the obligations of the buyer and seller

Legal

Vendor terms and conditions

Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

Content disclaimer

Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

Usage information

Info

Delivery option

Delivery details

Builder Vault - Core Stack

MPC stands for multi-party computation. To use multiple parties, Blockdaemon includes a KMS stack for each party that will partition access appropriately to increase the threshold security. The KMS stack is a security-centric component of Builder Vault that specializes in the management and safeguarding of cryptographic keys and sensitive secrets used throughout the AWS infrastructure. This must be deployed separately, before the Core stack, to restrict control of the nodes configuration and protected secrets such as its API key, to just the admin user of the node.

NB: The KMS stack does not store the actual key material, but the envelope key for the MPC node at runtime.

Guide to install the prerequisite KMS stacks: https://builder-vault-tsm.docs.blockdaemon.com/docs/getting-started-aws#deploy-kms-stack

The KMS stack fits into the overall architecture as follows: https://builder-vault-public-244382059033-us-east-1.s3.amazonaws.com/docs/architecture-diagrams/Builder+Vault+KMS+Topology.pdf

The Builder Vault Core stack is the operational nucleus of the ecosystem and delivers a suite of services crucial for the functioning and management of cloud-based applications. It is deployed in a two instance AMI configuration but can be extended using the Node Stack template.

The client SDKs require API keys for authentication. An API key for each MPC node is generated inside the secure enclave upon boot-up and stored in AWS Secrets Manager. After generating API keys, private/public keys for communication, and a master encryption password from inside the secure enclaves, these are encrypted and stored in AWS Secrets Manager with KMS.

Guide to install the Builder Vault Core Node stack: https://builder-vault-tsm.docs.blockdaemon.com/docs/getting-started-aws#deploy-builder-vault-core-node

The Core stack fits into the overall architecture as follows: https://builder-vault-public-244382059033-us-east-1.s3.amazonaws.com/docs/architecture-diagrams/Builder+Vault+Core+Topology.pdf

CloudFormation Template (CFT)

AWS CloudFormation templates are JSON or YAML-formatted text files that simplify provisioning and management on AWS. The templates describe the service or application architecture you want to deploy, and AWS CloudFormation uses those templates to provision and configure the required services (such as Amazon EC2 instances or Amazon RDS DB instances). The deployed application and associated resources are called a "stack."

Version release notes

https://builder-vault-tsm.docs.blockdaemon.com/docs/tsm-release-notes

Additional details

Usage instructions

The AWS multi-account design of the Builder Vault prevents a single root administrator role from manipulating controls to observe all sets of encrypted data and decrypt the key shares to reconstitute the master private key. This structure reinforces secure multi-party computation (MPC) by protecting the data not only from potential threats from outsiders but also insiders. This necessitates the segregation of system services and administrator roles. In this model, all administrator roles need to collude to compromise the system.

Review the different Builder Vault topology options to decide which topology best suits your use case: https://builder-vault-tsm.docs.blockdaemon.com/docs/high-level-aws-deployment

Note, the Builder Vault stacks need to be installed in specific order. Follow this guide when installing the Builder Vault: https://builder-vault-tsm.docs.blockdaemon.com/docs/getting-started-aws

Resources

Vendor resources

KMS Stack Index 1 (for core node 1)

KMS Stack Index 2 (for core node 2)

Support

Vendor support

Please contact our Customer Support Team directly via our Contact Form or directly via email at support@blockdaemon.com

Get support

AWS infrastructure support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Get support

Customer reviews

Write a review

Ratings and reviews

Info

0 ratings

5 star

4 star

3 star

2 star

1 star

0 AWS reviews

No customer reviews yet

Be the first to write a review for this product.