Best Practices

Provider Selection

Never use local in production. It provides no key protection, audit trail, or rotation capability.

Key Management

1. Use IAM roles, not static credentials. On AWS, attach roles to EC2/ECS/EKS. On GCP, use Workload Identity. On Azure, use Managed Identity.

2. Enable key usage logging. All cloud KMS providers support audit logging — enable it and monitor for anomalous signing patterns.

3. Rotate keys regularly. Create new key versions and migrate gradually. Cloud KMS providers support automatic key rotation.

4. Separate signing keys from password keys. The HSM signer key and the ZapDB password decryption key should be different KMS keys with different IAM policies.

Network Security

1. Zymbit devices should be on an isolated network segment. If not on localhost, use TLS for the REST API connection.

2. MPC nodes should communicate over PQ TLS (already the default with X25519MLKEM768 key exchange).

3. Never expose KMS credentials in logs, error messages, or config files.

Testing

1. Use local signer in tests — it's fast and deterministic per keyID.

2. Test PQ signatures before deploying — ML-DSA signatures are ~46x larger than ECDSA. Ensure your transport and storage can handle ~3.3KB signatures.

3. Run concurrent tests — the HSM package is thread-safe, but your integration code should be tested under concurrent load.

func TestConcurrentSigning(t *testing.T) {
    signer, _ := hsm.NewSigner("local", nil)
    var wg sync.WaitGroup
    for i := 0; i < 100; i++ {
        wg.Add(1)
        go func() {
            defer wg.Done()
            sig, _ := signer.Sign(ctx, "key", msg)
            ok, _ := signer.Verify(ctx, "key", msg, sig)
            assert.True(t, ok)
        }()
    }
    wg.Wait()
}

Monitoring

Compliance