Aws CloudHsm Integration For Wallets

[defikintaro]

Hello,

This thread is more like a discussion than a feature request. I'm curious about storing a private key securely on server machine. Looks like Aws Hsm service provides nearly secure key storage. I want to prevent private key from getting exposed when a user on the server is compromised.
Let's say that I have a wallet that only belongs to my server application. It calls a contract's write methods, for that it needs to sign transactions and thus requires to do this with a wallet. However initializing a wallet requires private key in clear text. I am thinking that maybe Aws Hsm integration with ethersjs will prevent exposing private key.
Thanks.

[ricmoo]

There is a potential future in this with new hardware or account abstraction, but I do not believe there are any Secure Elements/Enclaves (other than custom ASICs like Ledger’s) which support secp256k1.

Most use the R1 curve, such as the ATEC806A, which I’ve used in a few projects, but which means the verification is mostly used in off-chain validation.

If you can produce EVM code that verifies a supported algorithm on the HSM chips though, it is certainly possible.

I’m also working on a USB security dongle for Ethereum, which doesn’t use a Secure Enclave, but ensures that the private key cannot be accessed from the host and can act as a gatekeeper to validate and throttle requests. I’m planning to use it as a front-running solution in an upcoming demo project. :)

[defikintaro]

Well I'm seeing that Amazon is going to increase its blockchain services more in future, as you said. They're already opened blockchain developer positions :) Maybe we'll see cloud hardware support for secp256k1.
I did not dig deep into EVM code actually, but maybe a linux service version of Metamask would do the same thing.

It is cool that you're working on a USB security dongle, I'm looking forward to it! Decentralization is making private things harder to stay private :)