NOAH Key Enclave: A Fortress for Your Bitcoin Wallet Keys

At NOAH, we understand the importance of keeping your keys safe and secure, which is why we've worked tirelessly to provide the next billion people with the perfect combination of security, usability, and trustlessness.

Mobile Bitcoin wallets often store users' keys on mobile devices, which are then encrypted in cloud drives. With Key Enclave, users can protect their keys even more securely and eliminates the need for manual key entry on another device. However, it is recommended for users to still write down their seedphrase for emergency recovery purposes, such as if they forget their PIN. Key Enclave allows easy key recovery across devices using a PIN and provides an additional layer of security.

Key Enclave is a key storage solution that allows the NOAH wallet to restore keys that Key Enclave can only decrypt for a user that has their PIN code or using biometric authentication. Even though NOAH provides Key Enclave, it puts the user in complete control because it utilizes an isolated compute environment called Nitro Enclave. This ensures that the specific Key Enclave program is attested and is solely able to decrypt user keys. Any intrusion by NOAH, or any other entity, to modify the Key Enclave to leak key data would make the modified Enclave unable to decrypt keys.

In short, Key Enclave is like a fortress for your keys, with a moat of biometric authentication and a drawbridge of PIN codes.

Key Enclave technology is particularly useful for keys that are protected with a simple PIN code. Storing keys that are encrypted with a PIN code in cloud storage would not be secure, as an attacker could simply try each PIN combination to decrypt the key. With Key Enclave, the user's key is strongly encrypted, and knowledge of the PIN is required for the Enclave to decrypt the key.

NOAH wallet leverages Key Enclave technology to store key material, providing flexible options for key restoration in both Non-Custody and Self-Custody wallet scenarios. At its core, Key Enclave is a secure storage solution that can be used independently or in conjunction with other solutions to restore cryptographic keys. However, it's important to note that users should always write down the seed phrase of their key for recovery purposes, and familiarize themselves with the technical choices made by their wallet.

Storing User Key

Restoring User Keys

This solution to foster secure yet flexible key management has been on the drawing board at NOAH since our inception. Custody and management of keys is the key factor in Bitcoin wallets which requires heavy innovation by our industry.

To wrap up, our relentless pursuit of security and user trust has led us to develop an innovative and secure mobile Bitcoin wallet using Nitro Enclave technology. However, we faced various engineering challenges along the way but ultimately were able to overcome them and deliver a solution that meets our goal.

We wanted to create a mobile Bitcoin wallet that keeps user funds safe and doesn't require trust in the wallet provider. To do this, we created an isolated environment using Nitro Enclave technology, which adds an extra layer of security to the user-provided PIN code. This isolated environment is highly restricted, can only be accessed through a virtual socket, and does not allow access to many machine resources or any data persistence.

First, we looked at technologies that provide isolated computing and found that Intel SGX or Nitro Enclave would be suitable for our solution. Initially, we were drawn to Intel SGX because its key is inherent to the CPU itself. However, we soon realized that this level of CPU isolation presented a significant security vulnerability. An attacker with access to the Enclave could attempt to brute force all PIN combinations without leaving a trace. Instead, we decided to leverage Nitro Enclave’s Key Management System for Decryption, which allows for more transparent monitoring of each PIN attempt on the Enclave level.

We also faced the challenge of enforcing the PIN attempt limit of User Keys without trusting the wallet provider. To solve this, we use the Key Management System to monitor each decrypt attempt, which allows us to verify an identifier of the specific User Key and prove successful PIN attempts. A separate organization can use this information to detect any breach of the PIN attempt limit by the wallet provider and automatically halt Enclave decryption.