Easily Terraforming an EthSigner with an Azure Key Vault HSM Based Key
EthSigner, an Ethereum transaction signer which separates private key management from transaction validation, can be used to sign transactions by using keys protected in a variety of storage mechanisms. One of those supported mechanisms is Azure Key Vault and its software and hardware security module (HSM) based key protection offerings.
In this article we will be deploying a serverless EthSigner container using Azure Container Instances and an Azure Key Vault with an HSM based key (which is the more secure option). We will also need to create an Active Directory application and service principal that will be used by EthSigner to authenticate and access the key.
Prerequisites
Will be using Terraform and its azurerm provider, so we will be needing the following installed on our workstation:
Example Repository
A complete example Terraform script, which creates the EthSigner container, Active Directory application, Azure Key Vault key and security policies is available in the following GitHub repository:
The Script
For brevity, I will only cover the area of the Terraform script that specifically handle the creation of the container, key, and the wiring required for integrating the two.
We will start by creating an Azure Active Directory application, service principal and service principal password (which will be later used as the client secret by EthSigner):
Note that we use a random string to generate the service principal password.
Next, we will create the Azure Key Vault and HSM based key:
A few things to note here:
- We create a policy that allows the identity that runs the script to create, list, get, delete, and purge keys on the vault, without it, the Terraform script won’t be able to complete.
- The second policy, which is connected to the service principal we created earlier, only allows getting keys and signing, as those are the only operations required by EthSigner.
- We use
EC-HSMas the type, which tells Azure to create a hardware-based key. - We only allow the key to be used for signing and verifying.
Lastly, we create the EthSigner container, pointing it to Cloudflare’s Ethereum mainnet gateway as the downstream host (instead of deploying a node on our own), and passing all the Azure Key Vault key related configurations:
All is left now, login to Azure using az login and then run the script using terraform apply.
Testing the Deployment
We can perform to tests once the EthSigner container is up and running. The first is to make sure that the process is up and running as expected by calling:
curl -X GET http://127.0.0.1:8545/upcheckNext, we can check that EthSigner is passing the transactions to the downstream host by calling:
curl -X POST --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":51}' http://127.0.0.1:8545Conclusion
The example discussed in this article, although fully functional, should only be used as a reference in a real-world production deployment. Some areas, mostly security related, require more advanced concepts, such as internal-external networking separation, firewall protection, transport encryption (HTTPS), authentication and more.
