Dominion Services

Dominion is a Private Key store encrypted and backed by an HSM-protected AES-256 master key. The main purpose is to firstly, store 32-byte Private Keys securely, and secondly, use those Private Keys to generate Ethereum-compatible signatures (secp265k1). The following diagram illustrates the various subcomponents letting Dominion accomplish these two critical functions.

Dominion Services (HSM-backed PrivKey store)

Dominion stores all Private Keys within an at-rest encrypted relational database that is replicated and highly available. On top of the at-rest and in-transition encryption, the Private Keys are encrypted firstly using a Master Key being kept in a FIPS-compatible tamper-proof highly available HSM Cluster, and the encrypted cipher is stored in the database.

Dominion uses general-purpose zoned Key Identifiers to enable the clients to manage their Private Keys using their scheme. These Key Identifiers will later be mapped to actual encrypted Private Keys stored in the database. Upon signature generation, an encrypted Private Key is decrypted using the HSM Master Key within a protected memory region only within the duration of signature generation.

Any sensitive blob of data is being maintained within Linux Guard Pages. Thanks to memguard, a Golang framework letting use Linux Guard Pages, whatever Dominion does with Private Keys is happening within these guarded memory pages.

Redis Cache is highly available and at hand to manage transient states related to async requests or to store any other cached values.