This article is part of a short series about security at Knox. You can find more details on our website on the security page.
Cold storage is the act of storing private keys such that they are never exposed to a network connection. This is a core activity for private key custodians such as Knox as it protects the encumbered UTXOs from unauthorized access via hacks or other network vulnerabilities.
Knox custody services are 100% offline, have never been connected to any network, and never will be. We handle a fully air-gapped private key lifecycle, from the use of entropy in key generation to transaction signing, key storage and archiving. The use of eternally quarantined hardware during the entire key lifecycle is essential to get this assurance in our security model.
Stateless machines are used for key generation and client account creation while proprietary hardware security modules with custom collusion-resistance logic are utilized to manage transaction processing for our clients. Briefly, Knox hardware security modules perform a signature swap between a transaction request signed by a customer’s key, and the transaction signed by an offline key held by Knox.
The Knox hardware security module has successfully passed a third-party security assessment that addressed both the security of its implementation and the security of procedures surrounding storage and usage in such an offline environment.
All other computers that interface with Knox secure modules, throughout their entire lifecycle, are air-gapped — quarantined from any network connection to minimize the attack surface and isolate attack vectors to offline concerns.
Cold storage is one fundamental security principle established at Knox. We will be sharing more details about additional technology building blocks as part of a series on security at Knox. More details on knoxcustody.com