Backend Wallets

Engine performs blockchain actions using backend wallets that you own and manage.

There are multiple options for securing backend wallets.

Local wallet

A local wallet is a wallet created or imported from a private key. Ensure your private key is backed up before transacting with a local wallet in a production environment.

Local wallets private keys are stored encrypted in Engine's database. For security reasons, private keys cannot be exported.

AWS KMS wallet

An AWS KMS Wallet is a wallet securely stored in your AWS account. Engine can create and transact with the wallet, but not delete it.

Setup

  • Create an IAM user with programmatic access.
  • Grant the following KMS permissions to this user.
    • kms:CreateKey
    • kms:GetPublicKey
    • kms:Sign
    • kms:CreateAlias
    • kms:Verify
  • On the user page, navigate to Security credentials > Access keys.
  • Select Create access key to get an Access Key and Secret Key.
  • In the dashboard, navigate to Configuration > Backend Wallets.
  • Select AWS KMS and provide the following:
    • Access Key (example: AKIA...)
    • Secret Key (example: UW7A...)
    • Region (example: us-west-1)

Import an existing wallet

  • Ensure your KMS key is created with the following settings:
    • Key type: Asymmetric
    • Key spec: ECC_SECG_P256K1
    • Key usage: Sign and verify
  • In the dashboard, navigate to Overview > Backend Wallets.
  • Select Import and provide the following:
    • AWS KMS Key ID (example: 0489da75-9830-4a5a-97e3-e4a6df7775b3)
    • AWS KMS ARN (example: arn:aws:kms:us-west-1:632186309261:key/0489da75-9830-4a5a-97e3-e4a6df7775b3)

Google Cloud KMS wallet

Setup

  • Enable Google KMS API for your GCP account.

  • Create a Service Account.

  • Navigate to the IAM page. Find the service account and select Edit Principal to add the following roles:

    • Cloud KMS Admin
    • Cloud KMS CryptoKey Signer/Verifier
  • Navigate to the Service Accounts page. Select the above service account.

  • Navigate to the Keys tab. Select Add Key > Create new key.

  • Select JSON to download the JSON file. This file contains the key's private key in plaintext.

  • In the dashboard, navigate to Configuration > Backend Wallets.

  • Select Google KMS and provide the following:

Import an existing wallet

  • Ensure your keyring is created with the following settings:
    • Purpose: Asymmetric sign
    • Algorithm: Elliptic Curve P-256 - SHA256 Digest
  • In the dashboard, navigate to Overview > Backend Wallets.
  • Select Import and provide the following:
    • GCP KMS Key ID (example: 0489da75-9830-4a5a-97e3-e4a6df7775b3)
    • GCP KMS Version ID (example: 1)

Create a wallet

For AWS or Google Cloud KMS wallets, you must provide your credentials.

  • In the dashboard, navigate to Overview > Backend Wallets.
  • Select Create.
  • (Optional) Provide a label to organize your wallets.

Import a wallet

For AWS or Google Cloud KMS wallets, you must provide your credentials.

  • In the dashboard, navigate to Overview > Backend Wallets.
  • Select Import.
  • Provide the requested fields.
    • See above for instructions for specific wallet types.

List wallets

In the dashboard, navigate to Overview > Backend Wallets to view your wallets created by or imported to Engine.

Best practices

  • It is recommend to use AWS or Google Cloud KMS wallets for production use. Private keys are never exposed and the wallet is backed up securely by the cloud provider.
  • Use labels and multiple backend wallets to organize and track usage.
    • Example: Use one wallet to pay out creators on your platform and another to airdrop NFTs to users.
  • If your wallets require topping up gas or ERC20 tokens regularly, consider a separate "funds storage" backend wallet that transfers funds to other wallets via the dashboard UI or API.