Author: RJ
Status: Draft
Published: 18/01/2021
We currently support a mixture of browser storage (Metamask), consumer-grade hardware wallets and encrypted keystore files across our products. Any of our website that uses Metamask will automatically support the hardware wallets manufactured by Ledger and Trezor because Metamask allows the user to use these wallets through Metamask.
We only allow users to issue using a pre-setup configuration file which contains the Ethereum wallet using the encrypted keystore format. This wallet is password protected using a password that is entered after the user provides the configuration file to the web application.
On tradetrust.io we support the Metamask browser extension, which allows the user to use either browser storage or a hardware wallet (Ledger or Trezor) to perform Ethereum transactions. This is only required for transfer of asset owner/holdership.
Ethereum wallet is not required on this website as verification can take place without one.
The user interface on this web application allows the user to select between Metamask or Ledger Nano. This application has a large amount of legacy code, and it is uncertain if the "Ledger" menu option still works - we have received some reports that it does not work, but upon investigation by our team it appears to work with a very poor UX on Windows. Using the Metamask option is feasible, and allows the user to use both browser stored wallets and consumer grade hardware wallets.
- Encrypted Ethereum keystore JSON wallet format
- Browser Extension: Metamask
- Consumer grade hardware wallet: Ledger + Metamask
- AWS KMS / CloudHSM - AWS KMS is a mature solution, AWS KMS + Ethereum might have some hickups but should not be anything catastrophic. Will require some work to support with our existing software. Uncertain about CloudHSM since it is an expensive solution and you really only need it if you are running very high stakes stuff like crypto exchanges or certificate authorities etc
- Azure Key Vault - Same as AWS CloudHSM
- Hashicorp Vault - Looking at the Github issues it does not look very ready for production use, and also having to run a whole Hashicorp Vault installation will require Ops personnel
- Thales SafeNet Luna HSM - Luna HSM - On-premise hardware solution. Will require custom development to integrate with this, not feasible for IMDA/Govtech to support this effort - if there is a requirement for this level of security they should do their own development and security audits on top of that
Torus Labs - Flexible, Universal Key Management
Onboard.js — Easily support the top wallets
These providers require some work to integrate onto our site but will require payment and is a form of centralisation. Usage also means that TradeTrust/IMDA/GovTech implicitly endorses them, which could be problematic. The upside is that they support numerous types of wallet storage with a good user experience - especially for instance of lost keys.
Writing a shim to use Ethers.js with AWS KMS => just need to implement the signing methods ethers.js/ledger.ts at master · ethers-io/ethers.js · GitHub , legwork on using aws kms with Ethereum) This piece of work would allow users to use an Ethereum wallet stored on AWS.
Further work on this could be to write a managed proxy to AWS KMS that only allows transactions that pass certain criteria such as pre-defined transaction parameters (only allowed to issue documents, not send Eth) or contract address
A Ethereum node connection details could be specified in the configuration file, allowing it to connect to a node that has the ability to do signing. Could be something like EthSigner Transaction Signer. Perhaps secured with oauth login or AWS api key signed requests.
Metamask supports: Ledger Hardware Wallet - State-of-the-art security for crypto assets | Ledger Trezor Trezor Hardware Wallet (Official) | The original and most secure hardware wallet.
Ethers.JS supports: Metamask Ledger ethers.js/packages/hardware-wallets at master · ethers-io/ethers.js · GitHub
Azure Key Vault HSM Simple Ethereum Wallets Management with Azure Key Vault | by Itay Podhajcer | Microsoft Azure | Dec, 2020 | Medium
Hashicorp Vault Using Vault to Build an Ethereum Wallet
AWS key management service (KMS) as ethereum wallet The Dark Side of the Elliptic Curve - Signing Ethereum Transactions with AWS KMS in JavaScript | by Lucas Henning | Medium
AWS CloudHSM AWS CloudHSM - Knowledge Center
Overview - EthSigner : This project seems to implement a proxy for signing transactions with a configurable wallet store, but not sure how mature it is or how supported it is.