Blockchain Key Management Solution

TEEvault is a key management solution for securely storing and managing cryptocurrency keys in an enterprise environment. The entire process of generation, back up, and usage of cryptocurrency private keys is completed inside a protected Trusted Execution Environment (TEE), keeping the keys safe from exposure to hacking or physical attack. It also harnesses threshold cryptography to mathematically split a key into multiple shares and store each share in different systems. Thus, the risk of loss or theft is greatly reduced and disaster recovery assured.

Introduction to TEEvault


Secure use of keys with TEE

TEEvault operates two different run-time environments concurrently, a REE (Rich Execution Environment) and the TEE. All operations that involve the use of keys are securely isolated inside the TEE, which completely shields the keys and their operations from the REE, including hackers, potentially malicious cloud providers, and even insiders with administrative privileges.

Distributed key storage with threshold signature

Threshold signature is used to split a whole cryptographic key into multiple shares, with each share securely distributed to multiple devices for risk management. Risk of loss and theft is reduced, as no single device holds the whole key. Operations on key shares, including generation of signatures, are safely executed inside the TEE.

Compliant with Blockchain standards

TEEvault supports multiple blockchain protocols and their cryptography standards such as BIP-32, -39, -44, along with algorithms including ECDSA and Keccak.

Real-time synchronization

TEEvault’s internal key storage CPUs are triple synchronized in real-time through hot backup cross-replication process, ensuring high availability of data even in the case of a catastrophic event.

Comprehensive management of key creation and usage

Every event and operation involving the use of keys is logged and kept safe inside TEEvault, enabling secure monitoring and forensic analysis of key access and usage.

Importing old blockchain keys

Existing keys are easily migrated to the TEEvault. The entire migration process is encrypted and authenticated with only devices authorized by TEEvault importing the keys.

System Diagram

Safe as much as you connect

A single TEEvault is sufficient to operate your service. However, a cluster of multiple TEEvault nodes connected with threshold cryptography assure greater protection and availability of protected assets. Threshold cryptography enables t-of-n signature where only t nodes are required among n. For example, in a cluster configured as 3-of-6, the clusters as a whole will still function even if up to 3 (out of 6 nodes) become unavailable. Strategic placement of TEEvault nodes in geographically distant locations will increase the availability of the connected system in the case of catastrophic events, including power outages, natural disasters, and security attacks such as targeted denial of service. In addition, TEEvault’s threshold cryptography technology can also be applied to blockchain applications that do not provide native multisig support, such as Ethereum.

  • Risk diversification through distribution of keys
  • High availability regardless of catastrophic events
  • Cryptographic multisig support using threshold cryptography (Ethereum, etc.)

Robustness tripled

TEEvault’s triple replication architecture safeguards client assets and ensures robustness of secure operations. TEEvault is designed to synchronously back up protected data across multiple TEE systems, with each TEE system independently and uniquely encrypting the digital assets of clients. The tripled composition is also used for load balancing, enabling high performance.

  • Data loss prevention by tripled backup
  • Key synchronization among authenticated TEE systems
  • Performance improvement with load balancing among TEE systems

Hardware-enforced security boundary

TEEvault utilizes one of the most powerful security features supported by a CPU — the Trusted Execution Environment (TEE). By establishing a hardware-enforced security boundary, TEEvault completely isolates client assets from the computer’s day-to-day run-time environment, which is always exposed to a vast variety of cyber threats and hacking attacks. To steal client assets sealed inside the isolated TEE, a hacker must have physical access to the CPU hardware and analyze every bit of the circuit. Even with the use of an electron microscope, this is virtually impossible in the real world.

  • TEE completely isolated from run-time environment
  • Data protection using hardware reinforced keys
  • Virtually impossible to steal protected data even with an electron microscope

TEEvault-based Cryptocurrency Wallets

1. Store and manage cryptocurrency offline (Cold wallet)

Most cryptocurrency exchanges prefer to store part of their assets offline to mitigate the risk of being hacked, which is referred to as a cold wallet. Using TEEvault, enterprise-level cold wallets can be established with keys split and distributed among multiple nodes to eliminate the risk of loss and theft. All transactions involving the use of keys run securely inside TEEvault, completely protected from attacks — even from those with administrative privileges, e.g., such as malicious insiders.

2. Protect cryptocurrency keys stored online (Hot wallet)

Cryptocurrency exchanges must also store some of the cryptocurrencies online to process transactions and provide timely money transfers, which is referred as a hot wallet. Even if the keys are stored and encrypted, they must be decrypted in memory to be used when signing transactions, and this is the most vulnerable point where the keys are left unprotected. However, using TEEvault, keys are always protected even when online. When keys are generated and stored, they are encrypted by the unique key hardwired inside the CPU, and all cryptographic operations are securely executed inside the TEE during transaction signing, leaving no chance of hacking.

3. Multisig on Ethereum without using smart contract

Ethereum does not support multisig natively, instead encouraging users to use smart contracts to enable multisig. However, as seen in the Parity wallet incident, one small mistake in smart contract execution can result in catastrophic damages, such as cryptocurrencies being stolen or burned. TEEvault can turn the current process of signing a transaction with a single key into a multisig-based transaction. Threshold cryptography (k-of-n) can split a key into n shares, with k shares required to generate a whole signature, making TEEvault a secure alternative to smart contract-based multisig.

Contact Us

Looking for a solution?

TEEware shares your concerns about security.
We will continue to research and provide innovative solutions for your security needs. We will be your partner.