Skip to main content

Wallets (key management service)

Wallet or key management service it’s a special no custodial service that allows you to sign transactions offline

We use AWS KMS to sign transactions, so to keep it in use you need to have an AWS account

As well we provide Attarius KMS with that custodial solution and we own the keys. Because of that, this type of Wallet cans be used only for testnets

tip

Non-custodial means that you (or a different service controlled by you) owned the private key. And we as a service can only ask this external service to sign a transaction and you have all logs of all operations controlled by that external service. As well you can disconnect the key at any time

Custodial - we have your private keys and can do anything that we want to

We believe that only one secure way - non-custodial way

Key Types

Modern blockchains use private keys and a lot of cryptography to sign transactions. Cryptography is usually based on elliptic curves. There are many types of elliptic curves on the market. For the blockchain we usually talk about secp256k1 (bitcoin, EVM based chains) and ed25519 (near, solana, algorand) variants of elliptic curves. You should remember that external wallets can be limited of supported curves and if blockchain required elliptic curve that not supported then you can’t attach this wallet to blockchain

Creating wallet

To create a wallet you should select the necessary driver first and fill required fields after.

Each wallet has its own set of fields but all of them have general fields as well. General fields are a name, description, slug, enables, and available via API switchers.

Name and description used for dev panel only and provides notes for developers about the purpose to create a given wallet.

Available via API switcher make wallet visible and usable via API - so you can ask API to sign transactions there

Attarius KMS

Attarius KMS provides a CUSTODIAL wallet that can be used with testnets only.

This is the easiest way to start using the service and before production switched to other Wallet providers

Amazon KMS

AWS KMS storage is controlled by the developer. The developer should provide all credentials for his own KMS AWS KMS is a non-custodial way to manage keys. Sadly AWS KMS supports only secp256k1 elliptic curve that is suitable for ethereum based networks. Modern networks mostly use the ed25519 elliptic curve.

How to set up your own AWS KMS

Setup process is fast and easy

Registration

Register on https://aws.amazon.com. This simple but long process as it requires validation from the AWS site

Create an AWS KMS .

On https://console.aws.amazon.com/kms press the "Create a key" button.

Step 1 (key type)
  • Key type - Asymmetric
  • Key usage - Sign and verify
  • Key spec - ECC_SECG_P256K1
  • Advanced options - Multi-Region key
Step 2 (labels)

This step is mostly for you. This is how to call this key and description. Will be anything

Step 3 (key administrator)

Skip that step

Step 4 (Define key usage permissions)

Scroll down to the "Other AWS accounts" section and press the "Add another AWS account" button. Enter id 147746201810 here.

Step 5 (Review)

Review your paramaters and click the Finish button below

Next steps

You will see a list with keys. Select your key by clicking on it

On "General configuration" you will see the "ARN" section. This is what you should copy and paste to the Attarius dev panel

ARN looks like "arn:aws:kms:eu-west-1:XXXXXX:key/mrk-YYYYYYYYYYYYYYYYYYYYY"

All done!

Hashicorp vault transit

You can use cloud or self hosted version of Hashicorp vault to secure stoe keys and sign transaction Please note that Hashicorp vault transit support only ed25519 key type and you cant use it to sign EVM based transaction

How to set up your own Hashicorp vault transit

Please go to the https://www.vaultproject.io/ to check options. You can use cloud or self hosted version

Step 1 - activate transit

Via web ui:

  • go to the vault web ui
  • select "Secrect engines"
  • select "Enable new engine"
  • select "Transit"
  • click "Next"
  • click "Enable engine"

Via CLI:

vault secrets enable transit

Step 2 - create or import key

Via web ui:

  • go to the vault web ui
  • select "Secrect engines"
  • select "Transit" engine
  • select "Create encryption key"
  • enter key name (YOU_KEY_NAME)
  • select "ed25519" type
  • click "Create encryption key"

Via CLI:

vault write -f transit/keys/YOU_KEY_NAME type=ed25519

Google KMS

Soon. Please contact us if you want to use it

Azure KMS

Soon. Please contact us if you want to use it