NFT Digital Assets With Bank-Grade Cloud Security using AWS KMS

Authors: Chris De Leon, Dylan Zhou, Victor Fang from AnChain.AI

San Francisco, CA. June 28, 2021

Non-fungible tokens (NFTs) are the most recent and, perhaps, the most rapidly adopted digital asset enabled by blockchain smart contract technology. Early 2021 marked a period of explosive growth for NFTs, which have rapidly infiltrated the mainstream to the tune of a $69 Million dollar Christie’s auction and NBA Top Shot’s seven-figure userbase, and ballooned into a market totalling over $2 Billion in quarterly revenue. But with this unprecedented mainstream attention comes a looming billion dollar question:

How can we manage and secure this hypergrowth without stifling its potential?

The answer is bank-grade cloud security. A good start is to leverage Amazon’s AWS Key Management Service (KMS). The AnChain.AI team, developing full-service, secure digital asset platforms since 2018, shares best practices of building secure digital asset platforms in this blog, partnering with the Dapper Labs Flow blockchain team.

What Exactly is KMS?

AWS KMS provides bank-grade protection for managing cryptographic keys. KMS is based on a device called a hardware security module (HSM). Every AWS cryptographic service is backed by a FIPS 140-2 validated HSM. All interactions involving your cryptographic keys are performed in the HSM itself, which ensures that every exchange is private and secured. On top of that, none of your generated keys can leave the HSM unencrypted, which helps minimize the possibility of compromise when being used in your application. KMS can be used for encrypting / decrypting and signing / verification. Both of which have practical applications when developing an app on Flow, as we’ll see in the following sections.


Why Should I Even Use KMS?

Now, why even bother using such a high level of security in your application? Wouldn’t it be enough to secure your secret blockchain-related info in environment variables? For small scale projects this may suffice, but for a larger project, in which the application processes millions of dollars worth of NFTs per second, integrating KMS into your application is well worth the investment.

Take the Flow blockchain for example. All accounts on Flow can have one or more public-private key pairs. The public key is used for encrypting data while the private key, which should only be known to the account owner, is used for decrypting data. Whenever the user wants to perform an action that may modify their Flow account, they must provide their private key for authorization. This ensures that data can only be deciphered by the intended recipient, and forms the basis of asymmetric cryptography.

It’s no exaggeration to say that possession of your private key is the defining factor in you owning and controlling your Flow account. If a bad actor somehow learns your private key you are, to put it bluntly, completely screwed. So far as your account, Flow tokens, NFTs, and other valuables are concerned, that person is every bit as much of an account owner as you are. They could then sell it to fund all sorts of nefarious activities, make ridiculous purchases, or simply take your stuff and vanish.

To make matters worse, the recovery of digital assets is a notoriously time-consuming, difficult, and expensive process - as we at AnChain.AI, one of the world’s premier and only blockchain forensic service providers, have learned - and a single moment’s inattention or carelessness with your private key can set this entire avalanche of devastating effects into a motion.

Don’t take the risk. Having a strong system in place to protect your private key should be a top priority on a production system.

How Can I Use KMS?

Integrating KMS into your Node.js Flow project is very straightforward. The package we recommend is fcl-kms-authorizer, which was designed by the Flow community. As long as you’ve gone through the necessary steps to set up AWS KMS (which can be found on the repo’s README page), using the “fcl-kms-authorizer” package to protect your Flow private key takes little to no effort:

And voila! Now we can use `autho