NFT Digital Assets With Bank-Grade Cloud Security using AWS KMS

What Exactly is KMS?

AWS KMS provides bank-grade protection for managing cryptographic keys. KMS is based on a device called a hardware security module (HSM). Every AWS cryptographic service is backed by a FIPS 140–2 validated HSM. All interactions involving your cryptographic keys are performed in the HSM itself, which ensures that every exchange is private and secured. On top of that, none of your generated keys can leave the HSM unencrypted, which helps minimize the possibility of compromise when being used in your application. KMS can be used for encrypting / decrypting and signing / verification. Both of which have practical applications when developing an app on Flow, as we’ll see in the following sections.

Why Should I Even Use KMS?

Now, why even bother using such a high level of security in your application? Wouldn’t it be enough to secure your secret blockchain-related info in environment variables? For small scale projects this may suffice, but for a larger project, in which the application processes millions of dollars worth of NFTs per second, integrating KMS into your application is well worth the investment.

How Can I Use KMS?

Integrating KMS into your Node.js Flow project is very straightforward. The package we recommend is fcl-kms-authorizer, which was designed by the Flow community. As long as you’ve gone through the necessary steps to set up AWS KMS (which can be found on the repo’s README page), using the “fcl-kms-authorizer” package to protect your Flow private key takes little to no effort:

Conclusion and outlook

In this article, we’ve taken a look at one of the best practices for securing a Flow private key in your application, and highlighted both the importance of keeping your private key secure and the benefit of using AWS KMS to manage and protect the key.


We are grateful for valuable technical discussions: Yitao Wang from Affirm Inc. and Albert Khasky from Dapper Labs.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Blockchain data analytics firm providing security, risk, and compliance solutions.