Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Hot storage

The Hot Storage component is used to store "hot shares": shares that are required each time an operation is performed with the private key the "hot share" belongs to: log in, sign transactions, export the private key, and more.

Unlike the Cold Storage component, which is only accessed when the user logs into a new device, the hot storage handles fast, frequent access.

The hot storage doesn't include a production-ready implementation. A base implementation for development purposes is available under the hot_storage/sample directory. Implement your own version according to your needs.

The sample implementation is written in Go, uses PostgreSQL to store data, and can be configured through the environment variables shown in the docker-compose.yml file at the root of the repository.

How it works

The Hot Storage links shares to a specific device, user, and auth provider, and stores them in a database. The user is validated against the specified auth provider using the configured Auth Service.

Users must specify the user ID, auth provider, and device ID when requesting shares, and prove their identity through a JWT token issued by the specified auth service. The auth service must match the one configured when creating the share.

Hot shares are not encrypted with user entropy. However, the sample implementation encrypts all shares at rest using AES-256-GCM before storing them in the database. This protects shares if the database is compromised.

At-Rest Encryption

The sample hot storage encrypts every share with a server-side key before writing it to PostgreSQL and decrypts it on read. The encryption uses AES-256 in GCM (Galois/Counter Mode) with a random 96-bit nonce per share. The stored value is base64(nonce || ciphertext || GCM tag).

The encryption key is configured through the SHARE_ENCRYPTION_KEY environment variable, which must be exactly 64 hex characters (32 bytes). Generate one with:

openssl rand -hex 32

Even with at-rest encryption, follow best practices for database security to ensure access is properly controlled.

Specification

The full specification for the request is available in the API documentation, and a Postman collection with pre-configured calls is available at the Postman Collection.

Presented By
Openfort Logo