Backend Wallets
Engine performs blockchain actions using backend wallets that you own and manage.
There are multiple options for securing backend wallets.
Local wallet
A local wallet is a wallet created or imported from a private key. Ensure your private key is backed up before transacting with a local wallet in a production environment.
Local wallets private keys are stored encrypted in Engine's database. For security reasons, private keys cannot be exported.
AWS KMS wallet
An AWS KMS Wallet is a wallet securely stored in your AWS account. Engine can create and transact with the wallet, but not delete it.
Setup
- Create an IAM user with programmatic access.
- Grant the following KMS permissions to this user.
kms:CreateKey
kms:GetPublicKey
kms:Sign
kms:CreateAlias
kms:Verify
- On the user page, navigate to Security credentials > Access keys.
- Select Create access key to get an Access Key and Secret Key.
- In the dashboard, navigate to Configuration > Backend Wallets.
- Select AWS KMS and provide the following:
- Access Key (example:
AKIA...
) - Secret Key (example:
UW7A...
) - Region (example:
us-west-1
)
- Access Key (example:
Import an existing wallet
- Ensure your KMS key is created with the following settings:
- Key type:
Asymmetric
- Key spec:
ECC_SECG_P256K1
- Key usage:
Sign and verify
- Key type:
- In the dashboard, navigate to Overview > Backend Wallets.
- Select Import and provide the following:
- AWS KMS Key ID (example:
0489da75-9830-4a5a-97e3-e4a6df7775b3
) - AWS KMS ARN (example:
arn:aws:kms:us-west-1:632186309261:key/0489da75-9830-4a5a-97e3-e4a6df7775b3
)
- AWS KMS Key ID (example:
Google Cloud KMS wallet
Setup
-
Enable Google KMS API for your GCP account.
-
Navigate to the IAM page. Find the service account and select Edit Principal to add the following roles:
- Cloud KMS Admin
- Cloud KMS CryptoKey Signer/Verifier
-
Navigate to the Service Accounts page. Select the above service account.
-
Navigate to the Keys tab. Select Add Key > Create new key.
-
Select JSON to download the JSON file. This file contains the key's private key in plaintext.
-
In the dashboard, navigate to Configuration > Backend Wallets.
-
Select Google KMS and provide the following:
Import an existing wallet
- Ensure your keyring is created with the following settings:
- Purpose:
Asymmetric sign
- Algorithm:
Elliptic Curve P-256 - SHA256 Digest
- Purpose:
- In the dashboard, navigate to Overview > Backend Wallets.
- Select Import and provide the following:
- GCP KMS Key ID (example:
0489da75-9830-4a5a-97e3-e4a6df7775b3
) - GCP KMS Version ID (example:
1
)
- GCP KMS Key ID (example:
Create a wallet
For AWS or Google Cloud KMS wallets, you must provide your credentials.
- In the dashboard, navigate to Overview > Backend Wallets.
- Select Create.
- (Optional) Provide a label to organize your wallets.
Import a wallet
For AWS or Google Cloud KMS wallets, you must provide your credentials.
- In the dashboard, navigate to Overview > Backend Wallets.
- Select Import.
- Provide the requested fields.
- See above for instructions for specific wallet types.
List wallets
In the dashboard, navigate to Overview > Backend Wallets to view your wallets created by or imported to Engine.
Best practices
- It is recommend to use AWS or Google Cloud KMS wallets for production use. Private keys are never exposed and the wallet is backed up securely by the cloud provider.
- Use labels and multiple backend wallets to organize and track usage.
- Example: Use one wallet to pay out creators on your platform and another to airdrop NFTs to users.
- If your wallets require topping up gas or ERC20 tokens regularly, consider a separate "funds storage" backend wallet that transfers funds to other wallets via the dashboard UI or API.