API Signer: Security Considerations
This page highlights concerns regarding the security and trust model of the Fordefi API Signer.
Does the API Signer hold an MPC share?
Yes, the API Signer holds a decrypted MPC share in memory but never stores it in persistent storage. Here's how it works:
- The API Signer stores a decryption key.
- On startup, it fetches the encrypted MPC share from the Fordefi backend and decrypts it using this key.
- The MPC share retrieved is the user’s own encrypted share — not Fordefi’s share, which is securely stored in our secure enclave.
- The Fordefi backend never has access to the decrypted MPC share. It only stores the encrypted version.
- The decryption key remains either in the user's mobile app or within the API Signer but never with the backend.
- The API Signer also holds an authentication key, which is used only to register public keys of new API Users. It is not involved in transaction signing.
Where are the keys stored in the API Signer?
The keys are stored in the Signer's Docker volume, which can optionally be encrypted.
Learn how to encrypt Docker volumes.
What if the Signer is compromised? Can an attacker access our funds?
No.
Even if an attacker gains access to the decrypted MPC share in memory, they still cannot sign valid transactions unless:
- They also obtain Fordefi’s MPC share, which is stored in a secure enclave and is never exposed.
- They compromise an API User with permissions to initiate transactions.
Even in this case, transaction policies and user permissions still apply, adding an additional layer of protection.