Signchain Docs

Home>Get Started>Security Considerations

Security Considerations

Security is at the heart of Signchain’s design, aiming to keep your blockchain operations secure, flexible, and compliant. In this guide, we cover essential security best practices, configurations, and considerations to ensure a safe Signchain experience.

1. Protecting Private Keys

Your private keys are central to the security of your blockchain operations. In both hosted and self-hosted setups, it's critical to manage keys properly.

Signchain Hosted Vault

For users of the Signchain Hosted Vault:

  • Data Encryption: Signchain encrypts your private key data, preventing unauthorized access.
  • Limited Access: Signchain staff cannot access plaintext keys. Internal access controls and encrypted key management ensure your keys are handled securely.
  • Key Rotation: Rotate your contract signer addresses periodically to reduce the risk of compromised access. The Signchain Dashboard provides tools for easy wallet rotation.

Self-Hosted Vault

For self-hosted vaults:

  • Self-Custody: You retain full custody of your private keys, as Signchain does not store them. Keys are stored and decrypted within your infrastructure.
  • Encrypted Storage: Configure encrypted storage on your servers. For maximum security, use a Hardware Security Module (HSM) or similar technology to store keys.
  • Access Control: Restrict access to the vault server to only authorized IP addresses and users. Use firewalls and VPNs to safeguard server access.

2. Securing API Authentication

API keys are essential for authenticating requests to Signchain. Follow these guidelines to protect your API credentials.

  • Keep API Keys Secret: Never expose your API keys in client-side code or public repositories. Ensure they are only accessible in your server environment.
  • Environment Variables: Store API keys in secure environment variables and use a configuration management tool to manage them.
  • Access Control: Use the VAULT_AUTH_SECRET_KEY in self-hosted vault setups. This secret key is required to validate requests from your backend API to your vault, adding a layer of protection against man-in-the-middle (MITM) attacks.

Example: For every API request that interacts with private key data, send a signature in the X-Vault-Auth-Signature header. Only the backend and self-hosted vault know this secret, and the requests cannot be replayed due to unique nonces and expiration times.

3. Rate Limiting & Request Validation

Rate limiting is essential to protect your setup from abuse and potential denial-of-service (DoS) attacks.

  • Subscription Rate Limits: Review your Subscription Plan to understand your request limits. Monitor API usage in the Signchain Dashboard to stay within safe limits.
  • Implement Backoff Strategies: Implement exponential backoff or circuit-breaking logic to handle situations where you approach your rate limits.
  • Input Validation: Validate all API inputs to prevent injection attacks or malformed requests. When using custom inputs, sanitize them before sending to the Signchain API.

4. Regular Key Rotation

Regular key rotation is a fundamental security measure to minimize the risk of unauthorized access.

  • Vault Key Rotation: Rotate your Vault Key periodically from the Signchain Dashboard. This key is used to encrypt private keys in self-hosted setups, and periodic updates enhance security.
  • API Key Rotation: Avoid using the same API key indefinitely. Create new keys when team members change or if your project grows in scope.

Tip: Schedule key rotation as part of your operational security checklist.

5. Configuring Access Control

Access control is crucial for maintaining a secure environment, especially in multi-user or enterprise setups.

  • Assign Roles in the Dashboard: Use the Users section in the Dashboard to set user roles and restrict permissions.
  • Limit Admin Access: Only assign admin roles to trusted personnel who need full access. Use Manager, Developer, and Read-Only roles to control access based on function.
  • Use Multi-Signature Wallets: For sensitive operations, consider using a multi-signature wallet controlled by multiple users. By using OpenZeppelin's Ownable contract, you can set the owner to a multisig wallet to prevent unauthorized access to functions like setSigner.

6. Network Security

Implement strong network security measures to prevent unauthorized access to your Signchain vaults and API.

  • IP Whitelisting: Restrict access to the self-hosted vault server by whitelisting IP addresses.
  • SSL/TLS Encryption: Ensure that your vault and API server support HTTPS to protect data in transit. Configure SSL/TLS certificates and enforce strong ciphers.
  • Firewalls: Use network firewalls to block unwanted traffic and isolate the vault server from public exposure. Only allow incoming connections from trusted sources.

7. Monitoring & Logging

Implement logging and monitoring to detect potential security issues before they escalate.

  • Access Logs: Enable logging on your vault server to track access attempts, successful logins, and changes made to sensitive configurations.
  • Monitor API Usage: The Signchain Dashboard provides visibility into API usage. Set up alerts for unusual activity, such as unexpected surges in requests or failed access attempts.
  • Set Alerts: Configure alerts for threshold events, such as low credit balances or approaching rate limits. Monitoring credit usage is particularly important for maintaining seamless service.

8. Protecting Against Replay Attacks

Replay attacks can compromise your setup by re-sending previously captured requests. Signchain includes mechanisms to prevent these attacks, but here’s how you can strengthen your defenses.

  • Use Nonces and Expiration: Signchain’s self-hosted vault API enforces nonces and expiration times for secure requests. Always include these values in sensitive requests.
  • Enable Expiry Caching: Signchain’s API automatically rejects expired requests. To enhance this, configure cache settings on your server to avoid re-sending cached requests.

9. Reviewing Documentation Regularly

Signchain’s platform evolves with new features and updates, so regularly review documentation for new security guidelines and updates.

  • Stay Updated: Subscribe to the Signchain mailing list to be notified of new releases, security patches, and updates.
  • Refer to Security Documentation: Always review Signchain’s Security Best Practices documentation for the latest insights into securing your vault and API access.

Need Help?

Security can be complex, but it’s essential for protecting your blockchain operations. For specific security questions or further assistance, reach out to Signchain Support.

By implementing these security practices, you ensure that your Signchain setup remains resilient against threats and compliant with industry standards.