We offer a cutting-edge Key Management Server (KMS) that ensures total ownership and control of private keys for all assets in custody. Our KMS guarantees that Finrock’s backend servers cannot access any private keys, Mnemonic Phrases, or wallet seeds at any time.

Hosted on the client’s infrastructure, preferably within environments like AWS or Azure, the KMS performs all signing tasks securely. This setup ensures that private keys remain within the client’s controlled environment, never exposing them externally. This provides an uncompromised level of security for asset management and transactions.

EGRESS ONLY

The server or the VM where KMS is deployed must allow outbound traffic exclusively, any INGRESS (inbound) traffic must be blocked for all IPs (LAN, MAN, WAN).

The Cloud Signer (KMS) is available as a docker container via Docker Hub

docker pull finrock/ng-signer

Config.json file

{
  "signer_id": "2df047e7-xxxxx-xxx-xxxxx-77673f0be16c",
  "private_key": "-----BEGIN PRIVATE KEY----- jLVyxLBYotc1+bNRrzD6CtW8MR/F6xNHh0oT/ d3AnFLWp9+6ZxzTUQRh/MbzfJs2dIfs= -----END PRIVATE KEY-----",
  "srds": [
    "YW1vdW50IGFixxxxxxxxxxxxxxxxxxxyIG1vb24=",
    "YW11c2VkIGFiYW5kbxxxxxxxxxxxxRyZXNzIGdyZWF0"
  ]
}

Starting Signer (detached container)

Use this mode to sign transactions. The software runs as a service and must be supplied with a Config file mounted to the docker container with read-only privileges.

Running with [docker run] command

docker run -d --restart always --name finrock -v "$(pwd)"/config.json:/usr/src/app/config.json:ro finrock/ng-signer

Running as [docker-compose]

version: '3'
services:
  signer:
    image: finrock/ng-signer
    container_name: finrock
    restart: always
    volumes:
      - ./config.json:/usr/src/app/config.json:ro

Removing Signer

docker rm finrock -f