Overview

The Key Management Dashboard provides a centralized interface in the Fireblocks Console for adding, viewing, and managing your validation and signing keys. This dashboard replaces the previous stats-only view, offering comprehensive key management capabilities.

Accessing the Dashboard

To access the Key Management Dashboard:

1. Navigate to Settings > External Keys in your Fireblocks Console.
2. You'll see key statistics at the top and tabs for managing different key types below.

Dashboard overview

The dashboard displays:

Key statistics

At the top of the dashboard, you'll see an overview of your keys:

Validation Keys

• Total number of validation keys
• Active keys (approved and ready to use)
• Inactive keys (unapproved or past their expiration date)

Signing Keys

ECDSA Keys

• Total ECDSA signing keys
• Available keys (completed proof of ownership, not yet assigned)
• Assigned keys (already assigned to vault accounts)

EdDSA Keys

• Total EdDSA signing keys
• Available keys (completed proof of ownership, not yet assigned)
• Assigned keys (already assigned to vault accounts)

Key Management tabs

Below the statistics, you'll find tabs to manage different types of keys:

• Validation keys: Manage validation keys used to authorize new signing keys
• Signing keys: Manage ECDSA and EdDSA signing keys for transaction signing

Getting started with an empty workspace

When you first access a new Key Link workspace, you'll see an empty state prompting you to add a validation key. This is the required first step, as validation keys are needed to authorize the addition of signing keys.

Managing validation keys

Validation keys are used as proof of authority when adding new signing keys to your workspace. Before you can add signing keys, you must have at least one approved validation key.

Before adding your first validation key

Before adding a validation key, you should configure your approval group for registering validation keys:

1. Go to Settings > Quorums > Security & compliance > Add validation keys.
2. Configure the approval group that will need to approve new validation keys.
3. Learn more about approval groups.

Adding a validation key

To add a validation key:

1. In the Validation keys tab, click + Add validation key.
2. Upload PEM certificate: Click to upload or drag and drop your public key file after generating the validation key pair. The public key must be in PEM format.
3. Set expiration: Configure an expiration date for the validation key (default: 30 days). The validation key approvers require access to the public key file to verify its integrity on mobile.
4. Click Add key.

Validation key approval process

After adding a validation key:

1. The key will appear in the table with a Pending approval status.
2. Your configured approval group quorum must approve the key using the Fireblocks mobile app.
3. Once approved, the key status changes to Active and can be used to sign certificates for signing keys. 
   If a validation key is stuck in Pending approval status, you may need to refresh the page.
4. If a validation key expires, its status changes to Expired and it can no longer be used to authorize new signing keys.

Validation keys table

The validation keys table displays:

• ID: The validation key identifier
• Date added: When the key was added to the workspace
• Expiration date: When the key will expire
• Status: Current key status (Pending approval, Active, Expired, Disabled)

You can:

• Refresh the table to see the latest status
• Filter by status (All, Pending approval, Approved, Expired)
• Manage keys using the three-dot menu (Show public key, Revoke key)

Managing signing keys

Signing keys are the individual keys you manage on your HSM or other FIPS-compliant devices, used to create wallets and sign transactions on Fireblocks.

Prerequisites for adding signing keys

Before adding signing keys:

1. You must have at least one approved validation key in your workspace.
2. You need a Fireblocks Agent API user with the Signer role configured.
3. Your signing key pair must be generated on your HSM or signing device.

Adding a signing key

Adding a signing key with non-interactive proof-of-ownership is currently available only through API. For details about how to add a signing key with non-interactive proof of ownership, see Getting Started with Key Link.

To add a signing key:

1. In the Signing keys tab, click + Add key.
2. Fill in the following fields:
   • Label: Enter the key ID or label as it appears on your signing device/HSM
   • Linked user: Select the Fireblocks Agent API user that will receive signing requests for this key
   • PEM certificate: Upload the signed certificate (the signing key's public key wrapped in a certificate signed by your validation key)
3. Review the information message about proof of ownership requirements.
4. Click Add key.

For details on how to wrap a signing key with a certificate signed by a validation key, see Getting Started with Key Link.

Proof of Ownership process

After adding a signing key, it must complete proof of ownership:

1. The signing key is added with status Pending proof.
2. Fireblocks sends a challenge through the Fireblocks Agent.
3. Your HSM signs the challenge.
4. The Agent relays the signature back to Fireblocks for verification.
5. Once verified, the key status changes to Pending assignment and becomes available for assignment.

Signing Keys Table

The signing keys table displays:

• Key ID: The label/ID you assigned to the key
• Algorithm: The key algorithm (ECDSA or EdDSA)
• Vault account: The vault account the key is assigned to (or "Unassigned")
• Linked user: The Fireblocks Agent user associated with this key
• Date added: When the key was added to the workspace
• Status: Current key status (Pending proof, Pending assignment, Active, Failed)

You can:

• Search for keys by key ID prefix
• Filter by:
  • Algorithm (ECDSA, EdDSA)
  • Status (All, Active, Pending proof, Pending assignment, Failed)
  • Linked user (filter by specific Agent user)
• Sort by any column
• Refresh the table to see the latest status
• Manage keys by clicking the Manage button on each row

Note: The signing keys table is paginated. Use filters and search to find specific keys quickly.

Assigning signing keys to Vault accounts

Once a signing key is Pending assignment, you can assign it to a vault account. Each vault account can have one ECDSA key and one EdDSA key assigned.

To assign a key from the Key Management Dashboard:

1. In the Signing keys tab, find an available key (status: Pending assignment).
2. Click the Manage button on a specific key’s row.
3. In the modal, select a Vault account from the dropdown.
4. Click Save.

To assign a key from the Vault Account page:

1. Go to Accounts and select a vault account.
2. If the account is missing an ECDSA or EdDSA key, you'll see an option to Assign key.
3. Click Assign key and select from the available keys.
4. Click Assign.

Once assigned, the key will appear in the vault account's Key Information section and can be used to create asset wallets.

Viewing assigned keys on Vault accounts

For vault accounts with assigned keys:

1. Navigate to the vault account in Accounts.
2. The Key Information section displays:
   • Key ID for each assigned key
   • Algorithm (ECDSA or EdDSA)
   • Linked user
   • Date added
3. Click Show all keys to jump to the Key Management Dashboard.

Key status definitions

Validation key statuses

• Pending approval: Waiting for approval group to approve via mobile app
• Active: Approved and can be used to authorize signing keys
• Expired: Past its expiration date, cannot authorize new signing keys
• Canceled: The approval request was canceled before approval

Signing key statuses

• Pending proof: Pending proof of ownership verification
• Pending assignment: Verified and ready to be assigned or already in use
• Failed: Proof of ownership verification failed or caused by another error
• Active: Assigned to a vault account

Troubleshooting

Validation key stuck in "Pending approval"

• Verify your approval group members have the latest version of the Fireblocks mobile app (minimum version 2.7.0).
• Check that approval group members have received and can see the approval request in the mobile app.
• Contact your workspace Admin if the approval request is not visible.

Signing key status is "Failed"

• The proof of ownership verification might have failed.
• Verify that:
  • The PEM certificate was signed by an approved validation key.
  • The Fireblocks Agent is running and properly configured.
  • Your customer server and HSM functions properly and the signature on the proof of ownership request is valid.
• You may need to remove the failed key and add it again with the correct certificate.
• Contact support if you need further assistance.

Cannot assign key to vault account

• Verify the key status is Pending assignment.
• Check if the vault account already has a key of that algorithm (ECDSA or EdDSA) assigned.
• Each vault account can only have one key per algorithm type.

Signing keys not appearing in table

• The table is paginated - scroll down to load more results.
• Use the search and filter functions to locate specific keys.
• Click the refresh button to reload the latest data from the server.

API alternative

While the Key Management Dashboard provides a user-friendly interface for key management, all operations can also be performed via the Fireblocks REST API:

• Add validation keys
• Add signing keys
• List signing keys
• List validation keys
• Assign keys to vault accounts

Related articles

• Fireblocks Key Link Overview
• Getting Started with Fireblocks Key Link
• Set up your Fireblocks Vault with Key Link