Main featured post image
5 Essential Security Features Your Wallet Provider Should Have
Your embedded wallet provider should have these five essential security features: key generation in secure hardware, policy verification, transaction signing, built-in risk checks, and comprehensive audit trails for robust blockchain security.

Security is absolutely paramount in the world of blockchains where one private key compromise can result in hundreds of millions of dollars of irrecoverable digital assets. As businesses increasingly adopt digital assets, choosing the right embedded wallet provider becomes crucial. Let's explore five essential security features that your embedded wallet provider should offer, and how Bastion implements these to ensure the highest level of protection for your digital assets.

Secure Hardware-Based Key Generation

The foundation of wallet security lies in the generation of cryptographic keys. It's crucial that these keys are generated within dedicated secure hardware, ensuring that no employee or external party can access them in cleartext. Your wallet provider should:

  • Leverage Nitro Secure Enclaves and Hardware Security Modules (HSMs) for key generation, configured with least privileged access both from administrators and backend services.
  • Ensure private keys are only generated and used inside Enclaves and HSMs designed to resist physical tampering.
  • Provide a secure environment across hardware, software, and operations for cryptographic operations, significantly reducing the risk of key exposure, even in the event of a breach in other parts of the system.

Security Policy Verification and Transaction Signing Inside Secure Hardware

Security doesn't stop at key generation. Your wallet provider should offer robust policy verification, access authorization, and transaction signing—all within the same secure hardware. This integration ensures that even if backend services are compromised, your keys remain protected. Essential features should include:

  • Multi-signature (m-of-n) quorum support
  • Time-based and amount-based withdrawal limits
  • Whitelisted address functionality

All these security policies should be enforced directly within secure hardware, providing an additional layer of protection against potential attacks.

The authorization layer is generally the weakest point alongside security of code updates so it's critical to ask more information to your wallet provider on how access to the keys is secured.

Hardware-Enforced Code Signing and Multi-Step Approval Process

The code running on secure hardware is critical to the overall security of the wallet. Your provider should implement:

  • Hardware-enforced code signing
  • A rigorous approval process for any changes

At Bastion, we've implemented a multi-step review, approval, and signing process for any changes to our secure hardware code. This process involves multiple team members and requires various levels of authorization, significantly reducing the risk of malicious code injection or unauthorized changes.

Built-in Risk Checks for Transactions

A robust wallet solution should go beyond basic transaction processing. It should include built-in risk checks for both incoming deposits and outgoing withdrawals to protect users from interacting with potentially risky assets. Your wallet provider should:

  • Incorporate advanced risk assessment algorithms that analyze:
    • Transaction patterns
    • Known high-risk addresses
    • Unusual activity indicators

These checks help ensure that clients and their users are protected from potential fraud or interaction with sanctioned entities.

Comprehensive Audit Trails and Reporting

While not directly a security feature, comprehensive audit trails and reporting are crucial for maintaining security over time. They allow for quick detection of any unusual activity and provide valuable insights for continuous security improvements. Your provider should implement a detailed, tamper-evident audit logs for all key operations, including:

  • Key generation events
  • Policy changes
  • All transactions (approved and denied)

These logs should be securely stored and easily accessible, allowing for efficient security audits and regulatory compliance.


In conclusion, these five security features form the backbone of a robust embedded wallet solution. At Bastion, we've built our platform with these principles at its core, ensuring that our clients benefit from the highest levels of security in the digital asset space.

Are you ready to elevate your blockchain security? Subscribe to our blog for more insights into cutting-edge wallet security practices. To learn more about how Bastion's wallet solution incorporates these essential features and can be tailored to your specific needs, reach out to our team today. Let's build a secure digital asset future together.