Banzai Cloud Bank-Vaults as KMS solution for private shards
April 7, 2023
Banzai Cloud Bank-Vaults as KMS solution for private shards
Calimero offers Private Shards as a Service. As a part of the service, Calimero has built a private Key Management Service (KMS) solution using the Banzai Cloud Bank-Vaults project.
KMS is a critical component in ensuring the security and integrity of transactions in a blockchain network. KMS is used to securely store and manage cryptographic keys, which are used to sign transactions in the network.
In a blockchain network, when a transaction is initiated by a user, it is first hashed to produce a fixed-length string of characters that uniquely represents the transaction. This hash is then signed using the private key of the user who initiated the transaction. The signature, along with the transaction hash, is then broadcasted to the network and validated by other nodes.
KMS plays a crucial role in this process by securely storing the private keys of users and allowing them to sign transactions without exposing their private keys to the network. KMS can also be used to generate new keys, revoke old keys, and rotate keys as needed to ensure the security of the network.
In addition, KMS can be used to implement multi-factor authentication, where multiple keys or devices are required to sign a transaction. This can provide an extra layer of security to prevent unauthorized transactions or attacks on the network.
Overall, Key Management Service is a critical component in ensuring the security and integrity of transactions in a blockchain network by securely storing and managing cryptographic keys.
Which functionalities Calimero requires from the KMS solution?
As mentioned earlier, KMS is a critical component in ensuring the security and integrity of transactions in a blockchain network by securely storing and managing cryptographic keys. Private keys stored in KMS are never exposed. NEAR protocol uses the Ed25519 signature algorithm and Calimero KMS must be able to store and perform cryptographic operations using this algorithm. KMS solution must support the following set of operations:
get public key
Additionally, to tighten security, Calimero requires that the KMS solution is not accessible from outside of the Calimero infrastructure.
We chose Hashicorp’s Vault to implement our KMS. They provide a transit secret engine that prevents keys from being exported and allows all cryptographic operations required without exposing the keys. Additionally Vault is well-known in the industry. But Hashicorp’s Vault is quite complex to manage at the production level, while hosted version or enterprise version from Hashicorp’s offerings is pricey. So in the end we opted for the Banzai Cloud Bank-Vaults project.
Bank-Vaults is an umbrella project which provides various tools for Vault to make using and operating Hashicorp Vault easier. It's a wrapper for the official Vault client with automatic token renewal and built-in Kubernetes support, dynamic database credential provider for Golang database/sql based clients. It has a CLI tool to automatically initialize, unseal, and configure Vault. It also provides a Kubernetes operator for provisioning, and a mutating webhook for injecting secrets.
As mentioned in one of our previous articles Deploying NEAR full nodes inside Kubernetes Calimero is using Kubernetes as the container orchestration solution. We are going to utilize the Banzai Cloud Bank-Vaults Kubernetes operator which allows Calimero to easily provision and auto-unseal new Vault instances on demand in a fully automated manner. Each customer which creates Private Shard in Calimero gets its own instance of KMS. This adds an additional layer of security because only components of a single shard can communicate with the dedicated KMS instance.
Bank-Vaults operator setup and KMS instance per shard
The following section dives deep into Banzai Cloud Bank-Vaults integration with Calimero. First, we will take a look at how to deploy the Bank-Vaults operator and after that, we will discuss how to integrate KMS with Private Shard components.
The Banzai Cloud Bank-Vaults operator setup is pretty straightforward. The setup consists of CRD installment and operator deployment setup. We are going to use the official helm chart for that purpose, but we are going to tweak default values a bit for our use case.
Once the Banzai Cloud Bank-Vaults operator and its CRDs are installed we are ready for next step, but before that let’s discuss a bit how Calimero Network works.
Calimero Console is the main component in Calimero Network infrastructure, its responsibility is provisioning and configuring Private Shards. Private Shard has multiple components, but we can break them down into two parts: full NEAR nodes and supporting services which provide a full Blockchain As A Service experience. One of the support services is KMS which Console has to provision and configure before Private Shard is spinned up. Once Private Shard is running, our Wallet API component will use KMS when signing transactions.
Since we are running Private Shards in Kubernetes, we can leverage native Kubernetes auth flow when interacting with KMS. This eases integration with the KMS and additionally strengthens security because it is using Kubernetes Service Account token to issue short-lived KMS tokens. Using the Kubernetes Service Account token has two additional security benefits. Firstly, at any point in time, we can remove certain Kubernetes Service Account from the allowed list in the KMS configuration and all applications which use that Service Account will no longer have access to KMS. Secondly, Kubernetes Service Account supports automounting of the token which means we never expose that token outside of the running pod.
As mentioned before, we are going to use a transit secret engine. Actually, we are going to use two transit engines, one is used to store keys used on the NEAR side and the second one is used to store keys on the Calimero side. We are going to allow the Console to access both transit engines, while Shard components can only access the Calimero side transit engine. We are going to utilize two Vault features to implement this first, we have to define policies that state what someone is allowed to perform on a certain path. After that, we are binding those policies to roles. Roles are mapped to a combination of Kubernetes Service Account and Kubernetes Namespace.
The following example is from a Developer Private Shard, so it is running Vault in a single instance mode with durable storage. Auto-unseal is performed using Kubernetes Secret object.
In conclusion, Calimero's Private Shards as a Service is a comprehensive solution for enterprises and organizations looking to securely manage their blockchain networks. With its private Key Management Service built using the Banzai Cloud Bank-Vaults project, Calimero provides an added layer of security and peace of mind to its customers. By securely storing and managing cryptographic keys, KMS plays a crucial role in ensuring the authenticity and integrity of transactions on the network. With the ability to generate new keys, revoke old ones, and implement multi-factor authentication, Calimero's KMS is a valuable tool for any organization seeking to operate a secure and reliable blockchain network.