How It Works

This guide explains the concepts and different deployment modes for storing the private keys of your Fireblocks crypto currency wallets on a Securosys Primus HSM.

For an introduction into Fireblocks and the benefits of using a Primus HSM with it, see the overview page.

Architecture

You can integrate Fireblocks and Primus HSM with various degrees of complexity. This section showcases different possible deployment architectures.

In any deployment, the wallet keys are stored on an HSM partition. The difference is in how access to the keys is authorized.

Simple Deployment

In the simplest setup, signing requests flow relatively straight from Fireblocks to the Primus HSM, with a few intermediate "proxies" that translate between the different APIs. Concretely, when a user wants to sign a transaction from the Fireblocks web interface, the signing request traverses the following services:

• The Fireblocks Key Link Agent: It exposes Fireblocks' public API that HSM vendors and KMS providers can interact with.
• The Securosys Custom Server: It translates from the Fireblocks Key Link API to the Primus REST API.
• The Primus REST API Provider: It translates from a REST API to the Java JCE API that the Primus HSM natively exposes.
• The Primus HSM: It securely stores the wallet key, signs the provided message, and returns the signature.

SKA Deployment

For higher security, the wallet key can be protected using Smart Key Attributes (SKA). SKA allows defining powerful multi-authorization policies that are enforced by the HSM. The SKA policy that is attached to the SKA key specifies which approvers need to approve each SKA key usage with their personal approval key. These can be manual approvals from human approvers or automated approvals from custom business logic running in VaultCode.

SKA workflows are orchestrated by the Transaction Security Broker (TSB), which collects all necessary approvals and forwards the SKA key usage request to the HSM.

Air-gapped SKA Deployment

The Transaction Security Broker (TSB) can be run in air-gapped mode. This allows you to keep you wallet keys fully offline, and requires manually transferring the signed approval token to the offline REST API instance.

What You Need to Do

1. Set up a Primus HSM, preferably as a cluster (for redundancy).
2. Deploy all three web services (Fireblocks Key Link Agent, Securosys Custom Server, Securosys Transaction Security Broker (TSB)). They can be deployed as Docker containers, for example to a Kubernetes cluster.
3. Configure your Fireblocks workspace to register the HSM-backed wallet keys in your Fireblocks Vault.

For detailed instructions, proceed to the installation guide.