JMF Labs logo

AWS KMS for Securing Bitcoin

Posted on Jul 07, 2020

Keeping bitcoin private keys, private and safe in an enterprise environment doesn't have to be hard. Bitcoin being a crypto currency works with a private and public key. Public keys can be used to create special addresses to which anyone can know to pay. Yet corresponds with a private key, which can be used to actually spend the value of the public key.

AWS KMS can be used to make this paradigm easy to allow resources to generate their own bitcoin address using a public key securely.

We usually have the client create the private and public key on an air-gaped computer, then moving the public key off to internet connected computer for loading into AWS KMS.

This will require some post processing to get a usable bitcoin address key from the elliptic curve.

aws kms create-key --description "main bitcoin addresses" --customer-master-key-spec ECC_SECG_P256K1 --key-usage SIGN_VERIFY

We are using this as example code but in practice you would import your key so that AWS don't know your private key. Using IAM policies you can specify users that can use the KMS key to generate new bitcoin addresses.

aws kms get-public-key --key-id {arn from above example}

This will get us the public key, this is what we will use to generate our bitcoin address.

aws kms get-public-key --key-id {arn from above example} | openssl dgst -sha25

The above code will result in a sha256 hash which we can then perform the rest of the crypto functions getting the resulting bitcoin address. This would get for usage inside lambda to create multiple addresses to add to a database. We can also use the public key from KMS to generate the XPUB key which would allow one key to result to give us multiple bitcoin addresses.

Contact us if you are looking to build a secure bitcoin or crypto website!