Fireblocks Key Link lets your organization integrate its Key Management solution with our platform, which enables you to leverage our robust wallet management capabilities, built-in node infrastructure, governance engine, transfer network, and automated compliance functionality. 

You can seamlessly manage assets across hot, warm, and air-gapped cold storage environments from a single platform. Manage your key storage in cloud hardware enclaves or with FIPS-certified HSMs in the cloud or on-prem.

This document assumes your Key Management Infrastructure is based on an HSM. However, we allow the usage of other systems that support this framework. 

Architecture

In the Fireblocks Key Link workspace setup, which is different from the regular Fireblocks MPC-based workspaces, several important components are hosted on the customer side as shown in the diagram above.

The components and their responsibilities are outlined below.  

• Fireblocks Agent: An open-source repository that needs to be hosted by the customer. It is an on-prem service (Typescript) responsible for retrieving new messages to sign from Fireblocks, relaying these messages to the customer’s HSM through the customer’s server, and returning the signed results to Fireblocks.
• Customer Server: Developed and hosted by the customer. Receives messages to sign from the Fireblocks Agent, signs the messages via the customer’s HSM, and relays them back to Fireblocks. The customer server can have any custom logic (e.g., custom on-prem policy, transaction validation, etc.) to approve or reject transaction signing requests.
• HSM Component: The actual HSM implementation. Can be on-prem, cloud-based, hot or cold HSM, or a different Key Management System.
• HSM Adaptor: An optional separate component that can, for example, communicate with an offline (cold) HSM. An online HSM setup can be part of the customer server code or a separate component.

Learn more about Getting started with Fireblocks Key Link.