AWS Partner Network (APN) Blog
Secure Digital Assets with Blockdaemon Builder Vault using AWS Nitro Enclaves
By: Ramasamy Seranthaiya, Senior Solutions Architect – AWS
By: Jigna Gandhi, Senior Solutions Architect – AWS
By: Samuel Pulido, Partner Development Representative – AWS
By: Alexandre Karlov, Director, Security and Cryptography Engineering – Blockdaemon
 |
 |
The institutional adoption of digital assets has created new requirements for securing high-value cryptographic operations at scale. Traditional approaches using Hardware Security Modules (HSMs) or centralized key management often create operational friction and potential single points of failure. Financial institutions, custodians, and enterprises need security architectures that support institutional-grade controls while enabling operational agility.
Multi-Party Computation (MPC) addresses a fundamental challenge in digital asset security: the need to perform cryptographic operations without exposing private keys at any point in their lifecycle. Traditional key management approaches require private keys to exist in their complete form during generation, storage, or use – creating potential points of exposure. MPC transforms this model by mathematically splitting cryptographic operations across multiple independent parties, where each party performs computations on their own key share without ever reconstructing the complete private key. This distributed approach enables organizations to implement granular access controls, enforce multi-party governance, and maintain operational resilience.
Blockdaemon’s Builder Vault provides an institutional-grade custody solution using a distributed architecture making unauthorized access much more challenging and costly, thus improving overall security.
In this post, we explain how Builder Vault uses Multi-Party Computation (MPC) to help secure digital assets through a virtualized Threshold Security Module (TSM).
How Blockdaemon built Builder Vault using AWS Nitro Enclaves
Blockdaemon built Builder Vault leveraging AWS Nitro Enclaves to deliver secure, scalable, and globally available infrastructure for institutional-grade digital asset management solutions. Nitro Enclaves are separate, hardened, and highly constrained virtual machines which have no persistent storage, no interactive access, and no external networking. The AWS Nitro System, which is a combination of dedicated hardware and lightweight hypervisor, provides strong isolation. Nitro Enclaves provides an isolated compute environment within your HAQM Elastic Compute Cloud(HAQM EC2) instances. This allows for the secure processing and protection of highly sensitive data, including private keys for blockchain and cryptographic attestation, verifying enclave identity and authorized code execution. For containerized workloads, HAQM Elastic Kubernetes Service (HAQM EKS) clusters allow each worker node to host up to four Nitro Enclaves. This provides flexible orchestration for high-availability MPC workloads allowing elastic scalability to handle high transaction volumes while minimizing operation overhead.
Builder Vault for digital asset management
Builder Vault addresses a critical need in digital asset management: securing private keys without sacrificing operational flexibility. Its MPC-based architecture ensures that no complete key or master seed ever exists in one place, reducing regulatory concerns tied to centralized key custody. This distributed model supports compliance by eliminating the notion of a single actor having full control, and enables institutions to enforce multi-party governance and approval policies. Combined with AWS Nitro Enclaves and AWS Key Management Service (AWS KMS) cryptographic attestation, key shares are protected throughout their lifecycle: in use, in transit, and at rest. Builder Vault also integrates seamlessly with broader Web3 primitives such as smart contracts and Decentralized Finance (DeFi) protocols, providing a trusted cryptographic layer to mitigate risk in transactional flows.
Solution overview
For any organization holding digital assets, the Builder Vault AWS deployment is composed of three essential components:
- Builder Vault Key Management Service (KMS) Stack focusing on the secure management of cryptographic keys and confidential data within AWS
- Core Stack providing fundamental services such as user management, data storage, and internal communication mechanisms
- Expansion Node Stack designed to improve and scale the core stack’s security and performance capabilities
At a high level, Blockdaemon recommends deploying the Core Stack and a minimum of two Key Management Stacks as the optimal setup for multi-party operations. In addition, Expansion Node Stack allows adding nodes to scale and preserve the integrity of multi-party security into distinct AWS accounts. Figure 1 shows Builder Vault’s high level AWS deployment.
Figure 1: Builder Vault’s High level AWS deployment
At its core, the Security Management component, KMS Stack, handles security-related operations. Including secure storage of sensitive information, management of encryption keys, access control, and audit logging. The Core Infrastructure (Core Stack) serves as the foundation, managing user accounts, data storage, inter-system communication, and basic operations through two primary servers. To accommodate growth, the Expansion Component (Expansion Node Stack) allows the addition of new servers, enhancing overall system security and maintaining performance as usage increases. These three components integrate to provide a robust, reliable, and adaptable solution that grows with your organization’s needs.
This approach enables three key capabilities:
- Distributed Key Generation, Builder Vault automatically divides cryptographic keys into separate shares during generation, with each share independently managed by different parties.
- Secure Key Lifecycle Management, the solution manages the entire key lifecycle – from generation through rotation and retirement – while maintaining key separation.
- Software based flexibility, unlike traditional Hardware Security Module (HSM) implementations, Builder Vault’s software-based approach enables rapid deployment and integration with existing applications
Why choose Builder Vault rather than AWS KMS or an HSM alone
Builder Vault extends AWS KMS capabilities with specialized features for digital asset security. The solution implements advanced threshold cryptography, enabling true multi-party control over keys and signing operations. Its software-based architecture allows rapid integration of new cryptographic algorithms and primitives, providing more flexibility than the traditional hardware-based solutions offer. For organizations requiring distributed key management, Builder Vault implements off-chain multi-signature enforcement with configurable approval workflows.
While AWS KMS provides general purpose standard key management, Builder Vault’s MPC model provides resilience and control for cryptographic operations in large scale, cloud native environments (e.g. HAQM EKS). Builder Vault leverages AWS KMS for cryptographically assisted secret injection into Nitro Enclaves, providing security and isolation for sensitive key shares. Builder Vault complements AWS KMS by creating a robust multi-layered security posture that addresses the specialized needs of modern digital asset management.
Builder Vault on AWS shows how distributed key management and isolated compute environments work together to support digital asset operations. The solution combines Builder Vault’s MPC implementation with AWS Nitro Enclaves and AWS KMS to create multiple layers of protection for cryptographic operations. Organizations can automate key rotation, implement backup procedures, and maintain emergency recovery systems (ERS) while operating within a defined governance framework. The integration provides isolated computation environments for sensitive operations, with cryptographically attested secret injection through AWS KMS ensuring key material remains protected throughout its lifecycle.
Conclusion
In this post, we introduced how Builder Vault helps organizations implement granular access controls and maintain operational efficiency while supporting their compliance requirements. The software-based implementation also enables rapid adoption of new cryptographic capabilities as digital asset technologies change.
To get started with Builder Vault on AWS, review the technical documentation and explore AWS Nitro Enclaves capabilities. For additional information about Builder Vault’s features and implementation options, visit the Blockdaemon solution page.
.
Blockdaemon – AWS Partner Spotlight
Blockdaemon is an AWS Software Partner an ISO-27001 certified leader in blockchain infrastructure, provides advanced solutions with extensive protocol coverage and 70+ global points of presence.