Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide security guidance for ODIS key #8847

Merged
merged 3 commits into from
Nov 16, 2021
Merged

Provide security guidance for ODIS key #8847

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f408273
Provide security guidance for ODIS key
codyborn Oct 26, 2021
4db86f0
Merge branch 'master' into cody/ODISSecurityRecs
codyborn Oct 26, 2021
034e726
Merge branch 'master' into cody/ODISSecurityRecs
alecps Nov 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions packages/phone-number-privacy/signer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,31 @@ This could be a node with RPC set up. Preferably this would be an node dedicated

- `BLOCKCHAIN_PROVIDER` - The blockchain node provider for chain state access. `

### Security

The ODIS Signer service provides partial signatures that can be combined to generate domain-specific encryption keys. These keys are used for a variety of different purposes from phone number privacy to account backup encryption. It's very important to keep your BLS key share safe. We provide the following recommended best practices for keeping your key secure.

#### Leverage a cloud keystore

All cloud providers have a keystore offering that keeps your key secure while still being accessible by your service. ODIS Signer supports Azure, GCP, and AWS keystores. You can find configuration details in the [Keystores](#keystores) section below.

#### Lock down your cloud

- [ ] Ensure that you have multi-factor authentication enabled for all cloud accounts.
- [ ] Reduce access to the ODIS resources to as minimal of a set of people as possible.
- [ ] Revisit your cloud's admin set and ensure it is up to date.
- [ ] Enable Just-In-Time access policies if your cloud provider has this functionality available. For example, Azure provides [Privileged Identity Management](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) which allows you to specify an approval list and limited time window in which an employee may access a given resource.
- [ ] Monitor/Audit access to the keystore and ODIS resource group.

#### Create a secure backup

The BLS key share should only exist in the keystore or as an encrypted backup. To create a backup, you can either download an encrypted copy from your keystore or manually encrypt it locally. Make sure that you keep it somewhere memorable (ex. external hard drive or password manager). Here are a couple options to create a local encrypted backup:

- [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/backup?tabs=azure-cli)
- [MacOS](https://support.apple.com/guide/mac-help/protect-your-mac-information-with-encryption-mh40593/mac)
- [Windows](https://support.microsoft.com/en-us/windows/how-to-encrypt-a-file-1131805c-47b8-2e3e-a705-807e13c10da7)
- [GPG Command](https://www.gnupg.org/gph/en/manual/x110.html)

### Keystores

Currently, the service retrieving keys from Azure Key Vault (AKV), Google Secret Manager and AWS Secrets Manager.
Expand Down