NFT Digital Assets With Bank-Grade Cloud Security using AWS KMS

Authors: Chris De Leon, Dylan Zhou, Victor Fang from AnChain.AI

San Francisco, CA. June 28, 2021

Non-fungible tokens (NFTs) are the most recent and, perhaps, the most rapidly adopted digital asset enabled by blockchain smart contract technology. Early 2021 marked a period of explosive growth for NFTs, which have rapidly infiltrated the mainstream to the tune of a $69 Million dollar Christie’s auction and NBA Top Shot’s seven-figure userbase, and ballooned into a market totalling over $2 Billion in quarterly revenue. But with this unprecedented mainstream attention comes a looming billion dollar question:

How can we manage and secure this hypergrowth without stifling its potential?

The answer is bank-grade cloud security. A good start is to leverage Amazon’s AWS Key Management Service (KMS). The AnChain.AI team, developing full-service, secure digital asset platforms since 2018, shares best practices of building secure digital asset platforms in this blog, partnering with the Dapper Labs Flow blockchain team.

What Exactly is KMS?

AWS KMS provides bank-grade protection for managing cryptographic keys. KMS is based on a device called a hardware security module (HSM). Every AWS cryptographic service is backed by a FIPS 140-2 validated HSM. All interactions involving your cryptographic keys are performed in the HSM itself, which ensures that every exchange is private and secured. On top of that, none of your generated keys can leave the HSM unencrypted, which helps minimize the possibility of compromise when being used in your application. KMS can be used for encrypting / decrypting and signing / verification. Both of which have practical applications when developing an app on Flow, as we’ll see in the following sections.


Why Should I Even Use KMS?

Now, why even bother using such a high level of security in your application? Wouldn’t it be enough to secure your secret blockchain-related info in environment variables? For small scale projects this may suffice, but for a larger project, in which the application processes millions of dollars worth of NFTs per second, integrating KMS into your application is well worth the investment.

Take the Flow blockchain for example. All accounts on Flow can have one or more public-private key pairs. The public key is used for encrypting data while the private key, which should only be known to the account owner, is used for decrypting data. Whenever the user wants to perform an action that may modify their Flow account, they must provide their private key for authorization. This ensures that data can only be deciphered by the intended recipient, and forms the basis of asymmetric cryptography.

It’s no exaggeration to say that possession of your private key is the defining factor in you owning and controlling your Flow account. If a bad actor somehow learns your private key you are, to put it bluntly, completely screwed. So far as your account, Flow tokens, NFTs, and other valuables are concerned, that person is every bit as much of an account owner as you are. They could then sell it to fund all sorts of nefarious activities, make ridiculous purchases, or simply take your stuff and vanish.

To make matters worse, the recovery of digital assets is a notoriously time-consuming, difficult, and expensive process - as we at AnChain.AI, one of the world’s premier and only blockchain forensic service providers, have learned - and a single moment’s inattention or carelessness with your private key can set this entire avalanche of devastating effects into a motion.

Don’t take the risk. Having a strong system in place to protect your private key should be a top priority on a production system.

How Can I Use KMS?

Integrating KMS into your Node.js Flow project is very straightforward. The package we recommend is fcl-kms-authorizer, which was designed by the Flow community. As long as you’ve gone through the necessary steps to set up AWS KMS (which can be found on the repo’s README page), using the “fcl-kms-authorizer” package to protect your Flow private key takes little to no effort:

And voila! Now we can use `authorization` to authorize Flow transactions without having to load your private key from an environment variable:

While the example above only runs a very simple transaction, it can be adapted quite easily to run transactions that interact with a deployed Flow smart contract. This makes fcl-kms-authorizer a very attractive option when developing an app with the Flow client library. To take this example a step further, we can also group together functions that require KMS authorization to create an admin server. This server can then be protected using AWS whitelist settings, allowing us to keep admin-level privileges localized to authorized developers. FLOW also gives developers the ability to generate multiple partially-weighted keys, which can be combined with the strategy above to substantially decrease potential security issues with your private keys.

There are, however, a few caveats to keep in mind when using this package. At the moment, the fcl-kms-authorizer package only supports ECDSA_secp256k1 and SHA-3 for signing and hashing, so be sure that the Flow key you want to protect with KMS is set up with these algorithms. When setting up your KMS key, these algorithms correspond to the last row in the following table:


Conclusion and outlook

In this article, we’ve taken a look at one of the best practices for securing a Flow private key in your application, and highlighted both the importance of keeping your private key secure and the benefit of using AWS KMS to manage and protect the key.

The Dapper Labs’ Flow blockchain has excellent client side library support for KMS, and the AnChain.AI team strongly recommends that all serious digital asset platform developers leverage AWS KMS to securely handle their private keys.

In our next article, we will discuss how KMS in concurrent private secure transactions. Particularly useful for high throughput digital asset platforms if you are building the next NBA Top Shot. Stay tuned.


We are grateful for valuable technical discussions: Yitao Wang from Affirm Inc. and Albert Khasky from Dapper Labs.

Building a secure digital asset platform? Love NFTs? Talk to our experts: or chat with us on Twitter @AnChainAI, and subscribe to the AnChain.AI mailing list for more technical tips.


About AnChain.AI

AnChain.AI is a leading digital asset platform company providing secure and compliant blockchain-enabled solutions, founded in 2018 by cybersecurity and enterprise software veterans. Backed by Silicon Valley and Wall Street VC’s and the Berkeley Blockchain Xcelerator, AnChain.AI is servicing 100+ customers from over 20 countries, screening over $80 Billion in daily transactions, is trusted by leading virtual asset service providers, financial institutions, governments, and has been featured in CBS News, MIT Tech Review, Coindesk, and DEF CON. More at:

About Flow blockchain

‍Flow is a fast, decentralized, and developer-friendly blockchain, designed as the foundation for a new generation of games, apps, and the digital assets that power them. It is based on a unique, multi-role architecture, and designed to scale without sharding, allowing for massive improvements in speed and throughput while preserving a developer-friendly, ACID-compliant environment.

Flow empowers developers to build thriving crypto- and crypto-enabled businesses. Applications on Flow can keep consumers in control of their own data; create new kinds of digital assets tradable on open markets accessible from anywhere in the world; and build open economies owned by the users that help make them valuable.