near / near-contract-helper

Micro-service used by NEAR Wallet to store & send recovery methods
MIT License
35 stars 26 forks source link

Where/How to Store Private Keys for Web Wallet 2FA Support? #149

Open mattlockyer opened 4 years ago

mattlockyer commented 4 years ago

Looking for feedback on this.

We need to come up with a secure method of storing our keys that provide the 2nd Factor for users that have enabled 2FA with web wallet.

Since we need the keys to be usable we will have to have access via code + env vars, but they should be encrypted at rest.

I'm a little in the dark re: this repo's deployment, where the postgres database is hosted, if there are any protections already in place and if they are sufficient. Please illuminate!

vgrichina commented 4 years ago

We can generate effectively unlimited number of keys from one private seed (supplied in env variable) and account name. Ideally that would happen on some kind of HSM, but I think it is out of scope for MVP.