Store keys in Hashicorp Vault

[HariAmoor-professional]

The problem that you wish to solve

Enterprises and SMBs need to store their keys in a professionally-managed private key infrastructure in order to have proper OpSec over a large amount of ADA (I say this as someone who dreams of becoming a whale one day!) Unfortunately, this has been impossible so far b/c Cardano requires EdDSA with BLAKE-256 hashing.

Description

The easiest possible integration is Hashicorp Vault for the following reasons:

• Vault works at the software level -- you don't need hardware-level support for the exotic primitives as you would for FIPS-protected hardware that's usually closed-design
• The client is open-source under MIT (although it's written in Golang)
• IOG already uses it internally on some scale, judging by input-output-hk/bitte

This is a huge boon to wallet providers like Nami, Eternl, and Typhon, which all depend on this repo; their projects would be deployable over keys stored in an enterprise-ready KMS, so it's possible that the maintainers could sell licensed versions of those projects on top of this feature to help with funding.

Implementation suggestions

In order to get around the Golang thing, compile the Vault client as given above with Nix on your own, e.g., using dream2nix with the c-shared build-mode, and use Haskell's extern bindings to FFI into it. After that, you can just create a backend for it in cardano-wallet as one would with Ledger or Trezor.

[david-a-clark]

Thank you for your suggestion in improving the security and accessibility of Cardano for enterprise and SMB users. Integration with Hashicorp Vault is not something currently on our product roadmap. As such, we need to investigate this idea to understand the feasibility and potential impact of integrating with Hashicorp Vault. We also need to determine the priority of this against other planned items before we can commit to delivering it. Unfortunately there is only so much we can progress at any given time.

It is an idea we like as a team, and we do understand the potential benefits that Vault could bring to wallet providers and enterprise users. We will keep your suggestion in mind as we continue to explore ways to improve the Cardano ecosystem. Any updates we have in relation to progressing this and its inclusion on our product roadmap will be provided here.

In the meantime, please continue to share any ideas or feedback you have with us. We value input from our community and strive to incorporate it whenever possible.

[HariAmoor-professional]

Sure; it's just a suggestion at this point, so please keep it in mind.

I'd like to make this contribution myself, but unfortunately, it requires a bit of investigation and a scoping discussion.

If IOG ever has some cash or coins to spare, I'm sure we could work out a consulting engagement 😉 I've worked on Haskell-related projects both inside and outside of Cardano in the past; I'd be able to provide whatever you need from my side 😂