Key Guardian
The Key Guardian service manages cryptographic key material with defense-in-depth security, supporting encrypted database storage, secret managers, hardware security modules, and third-party custody providers including DFNS and Fireblocks.
Overview
The Key Guardian protects private keys controlling digital assets through defense-in-depth with multiple storage backends at escalating security levels. Keys never leave secure boundaries in plaintext.
- Doc type: Explanation
- What you'll find here:
- Storage hierarchy and protection levels
- Security architecture and key lifecycle
- DFNS and Fireblocks custody integrations
- Custody provider comparison
- Related:
- Transaction Signer for signature operations
- Signing Flow for the end-to-end signing sequence
- Authorization for role-based access control
Storage hierarchy
| Storage tier | Protection level | Use case |
|---|---|---|
| Encrypted database | Application-level encryption | Development, low-value assets |
| Cloud secret manager | Platform-managed encryption | Standard production deployments |
| Hardware security module | FIPS 140-2 Level 3 | Regulated financial services |
| Third-party custody | Delegated institutional custody | Highest security requirements |
Security architecture
The Guardian API receives signature requests without exposing raw key material. Storage routers direct requests to appropriate backends based on key metadata.
Key lifecycle
- Generation: HSM-backed keys generate entirely within hardware. Software keys use cryptographically secure random sources with immediate encryption before memory clearing.
- Rotation: Replaces active signing keys while maintaining historical keys for verification. Coordinates with blockchain address updates and registry notifications.
- Recovery: Enterprise deployments use sharded backups with threshold signature schemes requiring multiple custodians.
- Revocation: Compromised keys are immediately removed from active use. Smart contract permissions update to reject signatures from revoked keys.
DFNS integration
DFNS provides delegated MPC custody as a pluggable backend.
- Policy enforcement: DFNS policy engine enforces transaction limits and approval workflows before signing -- the second control layer after DALP's on-chain compliance engine. See Signing Flow for interaction details.
- Multi-party approval: High-value transactions can require multiple approver signatures. DALP surfaces pending approvals through its API for programmatic resolution.
- Audit integration: DFNS audit logs synchronize with DALP records for unified compliance reporting.
Fireblocks integration
Fireblocks provides MPC custody with vault accounts through vault accounts. Switching between DFNS and Fireblocks requires only configuration changes.
- Vault model: Keys organized into vault accounts, each containing one or more asset wallets. DALP supports creating, listing, and managing vaults.
- Transaction signing: All signing happens through Fireblocks MPC -- no single private key ever exists. Supports message signing, transaction signing with fee estimation, and typed data signing.
- Transaction Authorization Policy (TAP): Enforces amount thresholds, whitelisted destinations, velocity limits, and multi-approver requirements. Blocked transactions surface through DALP's approval interface.
- Approval limitation: Unlike DFNS, Fireblocks does not support programmatic approval resolution via external APIs. Blocked transactions must be approved through the Fireblocks Console or API Co-Signer appliance.
Comparing custody providers
| Capability | DFNS | Fireblocks |
|---|---|---|
| MPC signing | Distributed key shards | Distributed key shards |
| Programmatic approval via DALP | Full API resolution | Console/Co-Signer only |
| Policy engine | DFNS policy rules | Transaction Authorization Policy (TAP) |
| Wallet model | Flat wallet list | Vault → asset hierarchy |
| Multi-chain token registration | EVM, Stellar, Algorand, TRON, and more |
Access control and audit
- Only Transaction Signer components can request signatures
- Signature requests require valid workflow context
- Rate limiting prevents bulk signature extraction
- All access attempts log for security review
| Operation | Logged attributes |
|---|---|
| Key generation | Key identifier, algorithm, storage tier, generator identity |
| Signature request | Key identifier, message hash, requester identity, workflow correlation |
| Rotation | Old key identifier, new key identifier, initiator, approval chain |
| Access denial | Key identifier, requester, denial reason |
See also
- Transaction Signer for signature operations
- Signing Flow for the end-to-end transaction signing sequence including DFNS and Fireblocks paths
DALP Execution Engine
The DALP Execution Engine orchestrates digital asset lifecycle operations with guaranteed delivery, automatic retry handling, and transparent failure recovery, ensuring complex multi-step processes complete reliably even through system failures.
Transaction Signer
The Transaction Signer service handles secure preparation, signing, and broadcasting of blockchain transactions with intelligent gas management, nonce coordination, and support for both direct key signing and account abstraction patterns.