With one of our partners we had such a task: it was necessary to make the storage of Fiat and crypts. When the objective is something to protect, it is important to formulate a threat model: what kind of actions and penetrations should be protected and on this basis to design the architecture.
For example, in the case of response @cyrus.Shanahan63
, threat model can be briefly formulated in the following way:
1. The attacker got access to the dev API.
2. The attacker got access to the dev with bitcoind and keys to all the keys.
Then I think how to reduce the negative effect in each case.
1 case. The attacker can now sign the requests independently. The solution may be, for example, multisig, where the key is stored from the user, as part of the server. Thus, the attacker will not be able these requests to sign. But it is important to understand in what jurisdiction is the product, since there are legal nuances. We are faced with them. Another solution may be able to enforce the disconnection of a path with bitcoind in some simple way: the downtime better than lost money.
2 the case. There is nothing you can do about it. However, there are products like https://www.thalesgroup.com/en,
which provide a piece of metal, which securely stores the keys and which is considered uncrackable. In this case, the keys available as long as the physical (or virtual) card inserted into a card reader. Thus, if a system has been compromised, then it will be enough to pull the card. There are other products that are more budget.
In addition to protecting the keys, you can add protection with two-factor authentication and a third party, which may also be signed by transkey.
From the point of view of architecture, something like that, good luck in the sale )
CEO of Lenore36