-
Separation of Duties (Principle of Least Privilege)
-
5 sets of API keys should be created and managed by different stakeholders
-
Read-only: for internal data export as required by Finance, Compliance, etc.
-
Trade: for direct spot trading, OPT, currency exchange, etc.
-
Wallet address whitelist: for wallet address whitelist
-
VA Withdraw: virtual asset withdraw to whitelisted address
-
Fiat Withdraw: fiat withdraw to whitelisted bank account
-
-
The above keys should be managed by their KMS systems and not allowed to be explicitly accessed.
-
Device and Environment Security (Defense-in-Depth)
-
Physical Isolation
-
Key generation/encryption operations must be performed on dedicated secure devices: No network access, no preinstalled software, full-disk encryption enabled.
-
-
System Redundancy
-
Deploy at least two independent key management systems (e.g., Cloud KMS + On-premise HSM) to avoid single points of failure.
-
-
Access Isolation
-
Key management systems must enforce service-level permissions (e.g., IAM role bindings), allowing only authorized services via allowlists.
-
Critical Implementation Recommendations
-
Technical Tools
-
Use Key Management Services (KMS) instead of self-built systems (e.g., AWS KMS/Azure Key Vault/Hashicorp Vault).
-
Enforce key placeholders (e.g.,
${API_KEY}) in development environments, with ciphertext automatically injected via CI/CD pipelines.
-
-
Process Standards
-
Establish a key classification system (e.g., P0-level keys require dual-approval for generation).
-
Conduct quarterly key usage audits to validate permission alignment with actual needs.
-
-
Disaster Recovery
-
Store offline backups of core keys in physical safes (encrypted USB + split paper passwords), controlled jointly by security and admin personnel.
-
-
Attack Surface Reduction
-
Enable memory encryption for services (e.g., Intel SGX/AMD SEV) to prevent memory scanning attacks.
-
Restrict outbound connections at the network layer (only allowing access to essential API domains).
-
Principles Implementation Checklist
-
Is "zero-touch" plaintext key handling implemented? (Generation → Encryption → Destruction ≤5 minutes)
-
Do unencrypted key configuration files exist in production environments?
-
Can developers obtain decryption privileges through any means?
-
Are there unaudited super-admin accounts in the key management system?
Comments
0 comments
Article is closed for comments.