Fireblocks Announces Support for AWS Nitro Enclaves

Fireblocks has announced its support for Amazon Web Services (AWS) Nitro Enclaves, a significant development aimed at enhancing security for its customers. This new feature allows Fireblocks customers building products on AWS to utilize Nitro Enclaves to run their Fireblocks API Co-Signer, according to fireblocks.com.

Fireblocks x AWS Nitro Enclaves

Fireblocks employs an API Co-Signer to hold customers’ Multi-Party Computation (MPC) signing key shares and configuration keys. The key shares are pivotal in the MPC signing of digital asset transactions, while the configuration keys approve modifications to the Fireblocks Workspace.

With the integration of AWS Nitro Enclaves, Fireblocks customers can now choose to utilize this secure environment for their API Co-Signer. This requires a specific deployment process. Fireblocks uses MPC algorithms to generate and distribute private key shards, ensuring that a complete private key never exists in a single location. These key shards are stored in Fireblocks’ servers and the customer's mobile device or co-signer server, either on-premises or in a public cloud, to sign transactions in a trustless manner. This setup ensures no single party, including Fireblocks, can become a single point of failure.

To enhance security, all operations involving these shards are conducted within secure environments, such as AWS Nitro Enclaves. This ensures sensitive data is never exposed or manipulated, whether in storage or in use. Once decrypted inside the secured Nitro enclave, the API Co-Signer uses the key shares and configuration keys stored in the database to sign transactions and approve operations. Even if another party gains control over the server's operating system, private key information cannot be extracted from these enclaves as they remain encrypted.

In addition to AWS Nitro Enclaves, Fireblocks supports multiple secure enclaves for private key management, including Intel SGX and Hardware Security Modules (HSMs).