Securing Ethereum Blockchains with Thales Luna HSMs and PegaSys Plus 1.2

PegaSys Plus v1.2 offers support for storage of node keys using a Luna Network HSM module.

The Threat to Blockchain Security 

Blockchain technology comes with the promise of a tamper-proof and immutable distributed ledger. These promises have come true, but that doesn’t mean there aren’t attack vectors when it comes to real-world applications. One of these vulnerabilities is the secure storage of cryptographic keys that are used for various operations. An attacker who gains access to a key can take control of an account or an Ethereum client, drain its funds, or cause it to behave against the owner’s intentions. This is why further security of those keys is critical, and ensuring their integrity within a secure environment such as an HSM is paramount.

The Role of an HSM

Digital security is dependent on cryptographic keys that encrypt and decrypt data and perform functions such as signing and signature verification. A physical HSM deployed on-premises or in the cloud is a dedicated device that is specifically designed for the protection of cryptographic keys, acting as a trust anchor and protecting your cryptographic infrastructure by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.



Luna Network HSMs are purposefully designed to provide a balance of security and high performance, supporting the operations that require use of those keys. Moreover, the keys never leave the secure enclave, reducing the risk of keys being exposed to potential attackers. Luna HSMs offer the most certifications including Common Criteria, FIPS 140-2, ITI and more, helping you meet your compliance needs, and protect your keys wherever your applications and workloads run with on-premises and cloud-based hybrid solutions.

PegaSys Plus Integrated with Luna Network HSM

The safeguarding process for validator nodes is a key focus area for an enterprise application using a Proof-of-Work consensus algorithm such as IBFT2.0. This is essential as validator nodes alone control the network, and their misuse can inadvertently cause chains to fork or, in extreme cases, can cause networks to halt. Protecting the keys associated with these nodes is critical, and with PegaSys Plus 1.2 you get the safety and security of the validator private keys being generated, and stored inside the Luna HSM.

PegaSys Plus now includes a security module that when defined with a Luna Network HSM can sign all cryptographic operations required at a node, including peering with others on the network and generating new blocks. This means you always know the whereabouts of your keys, as the private key associated with a node never leaves the confines of the FIPS 140-2 Level 3 Luna HSM, greatly increasing the security and safety of the Ethereum node.

“Thales is pleased to provide an essential root of trust to the PegaSys Plus platform.” said Todd Moore, Vice President of Encryption Products at Thales. “By adding Luna HSM to the PegaSys equation, an organization’s users, devices and applications are protected and verified from end to end, ensuring integrity and visibility across the entire blockchain without any compromise to performance or added complexity.”     

What’s Next?

Taking this support further and enabling Luna HSM use for transactions and Ethereum keys associated with wallets that contain funds, is another real-world application we would like to tackle. Safety and security is everyone’s responsibility, and at PegaSys we want to enable all our users to be able to make use of the tools at their disposal.

Check out our documentation to find out more about how you can make use of this new capability to secure your enterprise Ethereum node!

Interested in learning more about how you can make use of the Luna Network HSM support with PegaSys Plus? 
Contact Us