New versions of the Qredo API and Signing Agent are now available! To get started, just contact us here.
Qredo Logo

Qredo API

Security best practices

Overview

In this guide you'll find an overview of best practices for securing sensitive data and managing Qredo API security.

Secure sensitive data

It's the customer's responsibility to appropriately manage and safeguard sensitive data — for example, API secrets and BLS private keys.

To ensure durability and security of your sensitive data, you can apply the following high-level best practices:

  • Strong encryption
    Encrypt API secrets and BLS private keys using a robust encryption algorithm. Employ widely accepted standards suitable for your platform.

  • Key management services (KMS)
    Leverage key management services (KMS) for secure key storage and access control. Such services are widely available across multiple platforms and can be accessed cost-effectively.

  • Secure key handling
    Follow secure coding practices to handle keys securely in your application code. Avoid hard coding keys and use secure storage mechanisms.

  • Access audit
    Periodically review and audit access to API secrets and BLS private keys. Ensure that access permissions align with the principle of least privilege.

  • Disaster recovery and high availability
    Consider replicating keys and secrets across different regions for disaster recovery, high availability, and enhanced data durability.

Example: AWS KMS and Secrets Manager

For effective management of sensitive data on AWS, consider using a combination of two services :

  • AWS Key Management Service (AWS KMS) for encryption
  • AWS Secrets Manager for secure storage of sensitive data

Note: Customer-managed Keys (CMKs) in AWS KMS offer a higher level of customization and control compared to AWS-managed KMS Keys.

You can adapt similar practices across other platforms and key management services.

Manage Qredo API security

Qredo offers a range of security features to help shape the security posture of your organization in accordance with its business needs.

  • Role separation
    Implement role separation to ensure discrete roles across different API keys. For instance, maintain separate keys and roles for approving and initiating transactions. This mitigates risks arising from any key leakage and exposure.

  • API firewall
    If your environment allows, use Qredo API firewall to regulate access from specific IP addresses and network ranges. This feature can be applied on a per-API-key basis in order to lock down API ingress traffic.

  • Address whitelisting
    Address whitelisting allows regulating access to a customer-defined group of destination addresses. These addresses can accommodate externally owned addresses (EOA) and smart contracts across all supported networks. The whitelisting feature is applied on a per-portfolio basis.

  • Robust Policy management
    Configure your Admin and Transaction Policies to avoid single points of failure. We don't recommend maxing out Policy thresholds — for example, avoid setting them to 1 of 1, 3 of 3, 6 of 6, and so on. Your Policy will be fundamentally stronger if you set a threshold like 3 of 4 or 4 of 6.

  • Governance logic
    Implement governance logic on approver keys to meet your business requirements. A very simple PoC example is approving transactions that match known test networks and rejecting transactions for production networks.

    You can find an example of governance logic here:

Previous
Register BLS & EC keys
Next
Code examples