Open danielnordh opened 1 year ago
Bluewallet encryption strategy
Different UX goals / threat levels Self inflicted vs bad actor risk
Scenarios - Self inflicted
Scenarios - Bad actor
Different Goals
"ideally the HSM has the ECC firmware, BIP32 knowledge etc. to sign. even a LN state machine to securely sign LN transactions. then the key doesn't need to move to main memory."
"ideally the HSM has the ECC firmware, BIP32 knowledge etc. to sign. even a LN state machine to securely sign LN transactions. then the key doesn't need to move to main memory."
Creating and using the key in an HSM would be great, and fall into the 'max bad actor protection' category. I'm not sure BDK (or LDK) currently supports this in any practical way though, plus you are left without the opportunity to save or backup the key outside the device at all. Might be more practical for multisig wallets where keys can be replaced?
How could this be made practical?
@danielnordh phone manufacturers will need to improve their firmware
iOS jailbreak status
Any new developer creating a bitcoin wallet will want to know best practices for storing the private key information for users.
Should include
What should be saved?
To easily handle both daily usage and backup scenarios, save the following:
Onchain
Lightning (additional)
Encryption options
As we'll see, adding a layer of encryption (other than default OS encryption) is almost always recommended. Should explain both what algorithm (AES-GCM ?), and what options for picking the key is available.
Storage options
Save as file in app data directory Not recommended - By storing the data as a text or binary file in the application's data directory you have access to it directly, it is however not very secure from a bad actor.
Save as encrypted file in app directory By adding your own additional encryption to the data you can potentially mitigate the risk of a bad actor getting their hands on the private keys. This can include other risks and complexity for the user, see the encryption section.
Save in user preferences
Save in device keychain
Save encrypted in device keychain
Save encrypted to user's cloud container (iCloud, Google Drive, will only work if enabled)
Use decoupled client / server model, i.e. Photon
Questions to answer for each option
OS Device backups
Android
OS Individual app backups
Android
Android specific nuggets
iOS
Protect against
Self inflicted