In the crypto world, managing secrets isn’t just about protecting sensitive data – millions of dollars can be on the line with a single key. Users trust us with their API keys, and we work every day to make sure their security is airtight. That’s why we’ve integrated Vault from Hashicorp to secure API keys at rest and in transit, and manage permissions dynamically to prevent breaches.
Vault is a leading secrets management service, backed by a committed team and an open-source code that is constantly being reviewed and tested by the community. They provide a secure storage infrastructure, encryption protocols, key rotation, user activity audits, and a multi-signature master key for recovering data when it is locked up because of a suspected intrusion.
Your API keys are valuable secrets, and if you want to keep a secret there are three rules: limit who knows the secret, keep track of those who know, and make sure the secret doesn’t last long.
Encryption and storage
Tokenplace’s secrets management plan begins with encryption. By accumulating secrets in a Vault, we avoid sprawl and minimize the number of access points that have to be protected. Vault also uses a dynamic infrastructure to mask the network perimeter to further prevent hacks.
The API keys and secrets are stored in the Vault in encrypted form, and access to decrypt them is identity-based. This means that simply lifting the data off the servers won’t work, since the keys and secrets are encrypted, and only by proving your identity to Vault can you make a query. The secrets and keys both remain in the vault, while access is controlled by hashes which do not lead back to the original secret.
Because Tokenplace secrets are stored in a secure Vault, separate from other aspects of the platform, this limits the number of identities (human or computer) who have access to them. The fewer entities have access, the easier it is to secure data and identify breaches.
Audits and emergencies
Now that we’ve limited the number of people who are privy to the secret, we can move on to keeping track of them. Since the API keys are encrypted, a bad actor would likely attempt to spoof an identity. This is why Vault provides detailed audit logs of the activity of every user on the system, making it easier to identify suspicious activity.
If an attack is suspected, Vault will immediately shut down and block all activity. At this point, a multi-signature recovery protocol is initiated, requiring secret keys from multiple core team members. Even if an intruder were able to completely spoof an administrator’s identity and bypass the Vault gatekeepers, their activity would be noticed and shut down, without the possibility of resuming.
The last rule of keeping a secret is to make the secret short-lived, or ephemeral. This doesn’t always work in real life, but in this case Vault provides dynamic secrets that help minimize the chance that someone can steal a credential and use it for nefarious deeds. These keys can be generated at the moment of use and revoked immediately after, making it impossible for a bad actor to reuse them.
Ultimately, the first line of defense is the user. Tokenplace has a convenient multi-factor authorization system to make sure your account isn’t being hacked. Once your API keys are in our system, they are encrypted in a secure, distributed Vault. The access to secrets is minimal, and all activity is logged and monitored for suspected breaches. The system locks down in case of an attack, and can only be reopened by a multi-signature operation by several core team members. Tokenplace has a dedicated and talented security team, and we partner with the best the industry has to offer to bring our users a secure and hassle-free trading experience.