The execution of cryptographic primitives, which involves a combination of cryptography, i.e. key pair generation, address generation and signing, as well as the guarantee of business logic, must absolutely take place in a secure and reliable environment.
To ensure the success of this operation, Zodia Custody must be assured of an access to a HSM while maintaining an unconstrained and trusted operating system.
Today, data security can be achieved through a variety of means such as TEEs, HSMs, and hardened operating systems (OS).
Let’s take the example of Trusted Execution Environment (TEE) which is a hardware component that allows data to be processed according to defined rules without anyone, even the system administrator, being able to see the data set.
Since the component can be remotely attested, it can be used on a decentralized network. TEE also takes into account the crucial right to delete its data.
Another aspect is the hardened OS part, like ARCA Trusted OS which is a secure container orchestration platform composed of a hardened Linux-based operating system (OS) combined with a Kubernetes orchestrator. This hardened OS is a micro distribution designed specifically to run containerised applications and having a minimal attack surface that is much smaller than a general-purpose Linux OS.
In fact, the Kubernetes layer comes with default secure settings and a set of curated components allowing an easy cluster bootstrapping, easy management, a secure data exchange between pods and nodes. It also allows secure execution of your code in a hardware-based trusted execution environment with different runtimes such as gVisor and Kata-containers.
Applications running on ARCA Trusted OS have an option to use CYSEC’s Cryptographic service via a convenient gRPC API. This API provides access to cryptographic primitives provided either by a purely software-based backend or by a FIPS-certified Hardware Security Modules (HSM). Furthermore, the Cryptographic service takes full advantage of clustering property of Kubernetes deployments allowing synchronization of cryptographic material across all nodes of Kubernetes cluster leading to strong resilience answering most stringent application’s demands, as Zodia Custody seeks in its security requirements.