I'm writing smart contracts on Algorand, and want to know how to make them production-ready. How can I securely pass private key, for example when creating smart a contract and sending it to chain? It feels insecure to store the passphrase or private key to the dev computer.
CodePudding user response:
Key management is an extremely complex topic and if you are writing an application that is expecting to move millions of Algos, I would strongly recommend consulting a security expert and do a full audit.
There are many questions to ask and I'm just highlighting a few there:
Do you want a custodial solution (i.e. the service has the key) or a non-custodial one (i.e. the user has the key - drawback: if the user is less technical, they may lose their keys with no recovery solution) or a hybrid one?
What does the key allow to do?
Q1: Custodial / non-custodial solution?
a. If you want a non-custodial solution, use MyAlgo Connect, AlgoSigner, and/or Wallet Connect. This is easy and really limit risks on your side, but non-technical users may lose keys.
b. A custodial solution is much more complex as you hold funds. Beyond technical issues, there are also legal issues.
c. Hybrid solutions may use multisig or smart contract to allow the user to use their non-custodial keys most of the time, but have a complete cold storage key that is used to manually recover accounts in case things go wrong. Complete cold storage means slow to access but also more secure.
Note that you can also have custodial key management by default and allow for non-custodial key management for advanced users.
Q2: What does the key allow?
There are many times where you actually don't need the stored key to do everything possible. For example, if you are just transferring ASA, you may use delegated logicsigs. See the forum.
However, if you really need a custodial solution done with storing your key, you most likely want to have a separate server to handle the private key. This server would run a very simple easy-to-audit code. Ideally, it would use an HSM, but unfortunately last time I checked, there is no easy-to-used HSM for ed25519 used on Algorand. Shielded/Hardened VMs may be a good idea too. If you have your own server, YubiHSM may be an option to securely store your keys (it supports Algorand).
If HSM are not available, you should at least store the keys encrypted under a KSM key or in a "Secret Manager".
This server would require strong authentication from the other services and log everything. You can then have other services checking logs. There can also be additional safeguards in case of too many transactions.
I would also actually recommend using multiple servers over multiple clouds, if possible managed by different people in the organization. You can then use multisig. For availability and recovery in cash of crashes, you most likely also want to have some of the multisig keys available in complete cold storage.
Hope this helps.