At Fireblocks, we know that our customers employ a variety of different cloud configurations for their own internal systems. That’s why we’re excited to announce that Fireblocks now supports Amazon Web Services (AWS) Nitro Enclaves. With this new development, Fireblocks customers building products on AWS can now utilize Nitro Enclaves to run their Fireblocks API Co-Signer.

Fireblocks x AWS Nitro Enclaves

Fireblocks employs an API Co-Signer to hold customers’ MPC signing key shares and configuration keys. The key shares are used to participate in the MPC signing of a digital asset transaction, while the configuration keys are used to approve modifications to the Fireblocks Workspace.

Now, Fireblocks customers can choose to utilize an AWS Nitro Enclave for their API Co-Signer. This requires a customer to follow a deployment process. Fireblocks employs MPC algorithms to generate and distribute private key shards, ensuring that a complete and whole private key never exists in any single location. The key shards that are stored in Fireblocks’ servers (called co-signers) and the customer’s mobile device or co-signer server (on-prem or in a public cloud) is used to sign transactions in a trustless manner. This ensures that no single party, including Fireblocks, can be a point of failure.

To enhance security, all operations involving these shards are performed within secure environments, such as AWS Nitro Enclaves, ensuring that sensitive data is never exposed nor manipulated, whether in storage or in use.

Once decrypted inside the secured Nitro enclave, the API Co-Signer will use the key shares and configuration keys stored in the database to sign transactions and approve operations. Even if another party gains control over the servers operating system, private key information cannot be extracted from these enclaves, they remain encrypted.

In addition to AWS Nitro Enclaves, Fireblocks supports multiple secure enclaves for private key management including Intel SGX, and HSMs.