Comparing Ledger Nano S and AWS KMS with Signatory: Enhancing Security and Reliability for Tezos Bakers

I. Introduction

In the ever-evolving landscape of blockchain and cryptocurrency, security remains a top priority, particularly for validators who play a vital role in maintaining the integrity of decentralised networks like Tezos. Validators, also known as bakers in Tezos, are responsible for proposing and endorsing blocks within the network. Ensuring the safety of their keys is crucial to prevent leaks and hacking attempts. In this article, we will delve into two methods of securing Tezos baking keys: the traditional approach using the Ledger Nano S hardware wallet and utilizing Amazon Web Services (AWS) Key Management Service (KMS) combined with Signatory, a remote signing daemon developed by ECAD Labs.

Blockshard was the first Tezos baker to leverage the new consensus key feature introduced with the Lima protocol’s activation. In December 2022, we rotated our consensus key, transitioning to a new signing backend for our baking operation. While our previous system, involving an Intel NUC mini PC hosting the Tezos remote signer application and a Ledger Nano S for signing blockchain operations, was highly secure, it required physical presence and manual intervention after reboots to enter a pin into the Ledger device for unlocking. Disabling the pin on the Ledger was not a secure option, as it would grant full access to the private key and the bond stored on the baker’s address to anyone with physical access to the NUC.

As the Lima protocol progressed through the election cycle, we researched and tested alternative methods for baking in Tezos, specifically using a YubiHSM 2 and AWS KMS in conjunction with Signatory signing software for Tezos. In this article, we will focus on the AWS KMS approach and compare it to the standard Tezos baking method, which typically employs a Ledger Nano S.

We aim to provide a comprehensive comparison that will enable Tezos bakers to make well-informed decisions regarding their key management practices. We will conduct a comparison between baking with a Ledger Nano S and a system that employs AWS KMS in conjunction with Signatory. By the end of this article, you should have a clear understanding of these two methods and be able to determine which solution best meets your requirements for enhanced security and reliability.

II. Ledger Nano S for Tezos Bakers

The Ledger Nano S is a widely-used, pocket-sized hardware wallet that supports a broad range of cryptocurrencies, including Tezos. Hardware wallets store private keys offline, which makes them independent of third parties and resistant to online threats. By keeping the private keys in a secure and isolated environment, the Ledger Nano S ensures that user’s funds are safe from unauthorized access and malicious attacks.

The Ledger Nano S is well-suited for Tezos baking operations, as it features a baking app that functions as a Tezos wallet with the sending functionality removed. It utilizes the magic byte feature to restrict its operations to signing blocks, pre-endorsements, and endorsements, ensuring that no other actions can be performed. Moreover, the Ledger Nano S stores the watermark of the last signing operation to prevent double-signing the same operation, further enhancing its security.

In the event that an attacker gains access to the device, closing the baking app requires the entry of the device pin, providing an additional layer of protection against the leakage of the key. This safeguard ensures that even if the device falls into the wrong hands, the bakers’ private key remains secure.

Tezos bakers have two primary options when using the Ledger Nano S for securing their baker keys. They can either connect the Ledger Nano S directly to the server running the Octez node and baking client, or they can opt for a more secure setup by running the signing backend on a separate machine. In the latter case, the Octez signer is used in combination with the hardware wallet, with the Octez Baker connecting to the signing backend remotely. This approach separates the signing process from the baking operation, offering additional security benefits.

A major advantage of using the Ledger Nano S for Tezos baking is that it allows for downtime-free failovers to a backup baker during maintenance work on the main baker or in the event of system failures. Since both the main and backup baker can run concurrently using the same key without causing a double-signing incident, some bakers choose to permanently run two bakers simultaneously using the same key.

Baking with a Ledger Nano S provides a highly secure infrastructure, as even if an attacker gains remote access to the signing backend, they cannot steal funds without physical access to the hardware wallet. Furthermore, even with physical access to the device, the attacker would still need to bypass the pin protecting the device. Three consecutive incorrect pin entries result in the hardware wallet resetting to factory settings, effectively erasing the baking private key from its secure storage and safeguarding the baker’s funds.

While the pin requirement is intended as a security feature, it presents a notable limitation by necessitating physical presence at the server to which the device is connected, as the pin must be entered after server reboots. This is not ideal for remote server management. Furthermore, having one or more spare Ledgers with the baking key loaded is essential so that a failed device can be quickly replaced.

Since its launch in November 2018, our baker has required the replacement of two Ledger devices, as the OLED display of the Nano S became illegible over time. These devices are not designed for constant use, and as the display deteriorates, entering the pin becomes increasingly difficult or even impossible, necessitating a replacement with a new device.

If the Ledger Nano S or the connected server fails and is not immediately accessible, it can result in extended downtime for the baking operation. In such a situation, the baking operation remains offline until a system engineer can reach the machine and replace the faulty hardware. This potential for prolonged downtime is undesirable and should be avoided whenever possible.

III. AWS KMS with Signatory for Tezos Bakers

Amazon Web Services (AWS) Key Management Service (KMS) is a managed service that simplifies the process of creating, controlling, and managing the cryptographic keys for the baking operation. KMS provides a centralized, secure, and user-friendly platform for managing keys, ensuring that they are stored and protected within the AWS infrastructure. The service offers robust security and encryption features, which helps maintain the integrity and security of keys over time. With KMS, users have fine-grained control over who can access and use their keys, and they can monitor key usage through detailed logging and auditing. In addition, AWS KMS is seamlessly integrated with other AWS services, making it convenient to protect the baking key and manage access to it without having to worry about the complexity of managing keys independently.

Signatory, developed by ECAD Labs, is a remote signing daemon designed to assist Tezos bakers in securely signing endorsement and baking operations using various key-management systems. It allows users to set policies that define which operations are permitted for the private key, such as preventing transactions while allowing all baking operations. Similar to the Ledger Nano S, Signatory uses watermarks to store the last signing operation to prevent double-signing the same operation, which further enhances the security of the Tezos baking process. In addition, Signatory’s configuration also enables users to set the public key of an authorization key, ensuring that the signer only accepts requests from the baker using the private key associated with the specified public key in the configuration file.

The signer provides a high level of security in both cloud and on-premise HSM contexts, with the goal of making key management as secure as possible. The developers strive to balance security and convenience, enabling bakers to manage their keys effectively without compromising on safety.

Although in this article we focus on AWS KMS, Signatory offers compatibility with several other key-management systems, including Azure Key Vault, GCP Key Management, and YubiHSM. By integrating with these systems, Signatory allows Tezos bakers to choose the most suitable key management solution for their needs.

AWS KMS and Signatory work together to create a robust signing backend for Tezos bakers. When a baking operation needs to be signed, it is sent to the Signatory API. The operation is then decoded and checked against the defined policy to ensure only authorized operations are processed. Once permitted, Signatory sends the operation to AWS KMS for signing. After the signature is produced and validated, Signatory returns it to the baker.

Baking with Signatory and AWS KMS provides security guarantees comparable to using a Ledger Nano S, while removing the necessity for physical presence during maintenance or system failures, which decreases the risk of prolonged downtimes during failures. In order to prevent centralization of baking, Signatory has been designed to be compatible with a variety of key-management systems, allowing for greater flexibility and adaptability for Tezos bakers. This flexibility, coupled with the focus on security, makes Signatory an attractive option for Tezos bakers looking to enhance their baking infrastructure’s reliability and safety.

VI. Conclusion

While using a Ledger Nano S remains a highly secure option for running a signing backend in Tezos baking operations, its significant limitation is the requirement for physical presence during system maintenance and recovery from failures. This limitation prompts professional bakers to seek alternative solutions.

Prior to the introduction of the consensus key feature with the Lima upgrade in December 2022, bakers faced the challenge of being limited to the signing backend they initially chose or needing to migrate their operations to a new baking key, which had the considerable drawback of requiring delegators to migrate as well. Key rotation now offers the welcomed advantage of being able to migrate the signing backend without such limitations.

Blockshard utilises AWS infrastructure exclusively for our signing backend, employing AWS KMS for secure key management and EC2 for hosting the Signatory service. Our baker is hosted on bare metal hardware in a Swiss data centre, which guarantees a geographically distributed and robust infrastructure.

Having operated this system for nearly five months, we can confidently attest to its high reliability. While using a Ledger Nano S might still be the ideal solution for private bakers due to its relative simplicity and good documentation, the combination of AWS KMS and Signatory has demonstrated itself as a secure, efficient, and dependable choice for professional Tezos bakers seeking to enhance their baking operations.