ChainLaunch

Enterprise-Grade Blockchain Key Management

Secure your blockchain assets with military-grade key management. HashiCorp Vault integration, automated key lifecycle management, and enterprise compliance features for maximum security and peace of mind.

Secure Your Keys Now

Security Architecture

HSM vs. software keys — and which blockchain keys need which

Not all keys are equal. A dev peer's TLS cert and a channel admin's signing key have radically different blast radii if compromised. Here's how to think about key placement for a Hyperledger network.

Property
Software (Vault)
HSM
Key storage location
Encrypted file on disk or in memory
Inside tamper-evident hardware boundary
Private key ever leaves secure boundary
Yes — exported for signing operations
Never — signing done inside the HSM
Compromise if server is rooted
Keys can be extracted from memory
HSM wipes keys on tamper detection
FIPS 140-2 Level
Level 1 (software only)
Level 3 or 4 (hardware-validated)
Transaction throughput
High — CPU-bound only
Lower — limited by HSM signing rate
Cost
Near zero — bundled with Vault
$5 k–$50 k hardware + maintenance
Right for
Dev, test, and most production networks
Root CA keys, validator keys, regulated environments

Blockchain-specific key types — and their risk level

Signing keys (peers & validators)

High

Used to sign blocks, transactions, and endorsements. Compromise means a malicious actor can impersonate a peer or validator. Rotate on a schedule and immediately on suspected exposure.

TLS keys (inter-node communication)

Medium

Secure gossip between peers and orderers. Separate from signing keys — compromise only affects in-transit confidentiality, not ledger integrity. Annual rotation is typical.

Admin identity keys

Critical

Control channel config changes, chaincode lifecycle approvals, and node management. Should be stored offline or in HSM. Never on application servers.

Client/application keys

Medium

Sign transaction proposals on behalf of end users or services. Scoped by MSP role. Rotate frequently; use short-lived enrollment certificates where possible.

How Security Works

Protect Your Blockchain Assets with Enterprise-Grade Key Management

# Generate new blockchain keys with policies
chainlaunch security keys generate \
  --key_type "fabric_peer" \
  --organization "Org1MSP" \
  --key_policy "enterprise_keys" \
  --backup_enabled true \
  --hsm_protected true

# Set up automated key rotation
chainlaunch security rotation schedule \
  --key_pattern "fabric_peer_*" \
  --rotation_interval "90d" \
  --approval_required true \
  --notification_email "security@company.com"

# Configure multi-signature requirements
chainlaunch security multisig configure \
  --key_id "fabric_peer_org1_admin" \
  --required_signatures 3 \
  --authorized_signers "admin1,admin2,admin3,admin4"

# Key operations require approval workflow:
# 1. Key operation requested
# 2. Security team approval
# 3. Multi-signature validation
# 4. Operation executed with full audit trail

Key Management Features

Vault-backed security for every key in your network

Blockchain keys control assets, identities, and governance. ChainLaunch treats each key type with the access controls and lifecycle policies it requires — not a one-size-fits-all approach.

Transit & PKI secret engines

HashiCorp Vault Integration

ChainLaunch uses Vault's Transit Secret Engine as a crypto-service proxy: keys are generated inside Vault, signing operations are performed inside Vault, and the raw private key bytes are never exposed to the application layer. The PKI Secret Engine manages the full certificate hierarchy — root CA, intermediate CAs, and leaf certificates — with configurable TTLs and auto-renewal.

  • Transit Engine: ECDSA-P256 key generation, sign, verify — private key never leaves Vault
  • PKI Engine: root CA, org-level intermediate CAs, and leaf certs for peers, orderers, and clients
  • Dynamic secrets: time-limited Vault tokens scoped to specific key paths per service
  • Audit log: every sign, verify, and key-create operation recorded with requester identity and timestamp
  • Self-hosted or HCP Vault — ChainLaunch works with both deployment models
Threshold signing, governance

Multi-Signature & Approval Workflows

High-value operations — adding a validator, approving a chaincode lifecycle step, signing a channel config update — should require sign-off from more than one person. ChainLaunch implements m-of-n approval workflows where the operation is only executed after the required number of authorized approvers sign it, with a full audit trail of each approval.

  • Define threshold policies per key or operation type (e.g., 2-of-3 for channel admin actions)
  • Approval request sent to designated approvers via the ChainLaunch UI or email
  • Time-bound approvals — requests expire if not fulfilled, preventing stale authorizations
  • Hardware token support: approvers can sign with YubiKey or FIDO2 device
  • Emergency break-glass procedure with separate approver set and mandatory alert
Rotation, compliance, audit

Key Lifecycle & Compliance

Keys have a lifespan. Rotation policies should be automatic, not manual tasks that get postponed. ChainLaunch enforces rotation schedules per key type, generates compliance evidence automatically, and maps its controls to the frameworks your auditors care about — SOC 2, ISO 27001, GDPR, and PCI-DSS.

  • Scheduled key rotation: configurable per key type (TLS annually, signing quarterly, admin on demand)
  • Zero-downtime rotation: new cert issued and distributed before old one is revoked
  • SOC 2 Type II: availability and confidentiality controls mapped to key management operations
  • GDPR: participant identity keys tied to right-to-erasure workflow with documented key destruction
  • Immutable audit export: tamper-evident log of every key operation for external auditor review

What's Included

Everything you need, fully managed

Every ChainLaunch managed plan comes with enterprise-grade features built in.

  • RBAC + 2FA

    Role-based access control with two-factor authentication across all users

  • HashiCorp Vault integration

    Enterprise-grade key and secrets management out of the box

  • Enhanced audit logs

    Tamper-evident audit trail for compliance and security monitoring

  • Real-time monitoring

    Live block, transaction, and node health metrics with alerting

  • Federated metrics

    Cross-network metrics aggregation and analysis for multi-org deployments

  • Advanced analytics

    Comprehensive reporting and dashboards across all your networks

  • Automated cert management

    Certificate lifecycle handled automatically — no manual PKI work

  • Priority support

    Direct access to the ChainLaunch engineering team during business hours

  • Zero-downtime upgrades

    Roll out chaincode and orderer upgrades without interrupting transactions

  • Enterprise security

    Network isolation, encrypted storage, and SOC 2-aligned controls

From the Blog

From someone who's shipped it

David Viejo writes about Hyperledger Fabric and Besu — what works in production, what kills projects, and what the docs leave out.

Read all 43 articles

FAQs

Frequently Asked Questions

How quickly can I get a blockchain network running?
With ChainLaunch managed cloud, you can have a running Hyperledger Fabric or Besu network in under 5 minutes. Just book a call, choose your setup, and we handle provisioning, configuration, and deployment.
What blockchains does ChainLaunch support?
ChainLaunch supports Hyperledger Fabric, Fabric X, and Hyperledger Besu — three distinct products. Fabric is the established permissioned blockchain framework; Fabric X is its next-generation evolution with improved architecture; and Besu is an enterprise Ethereum client for EVM-compatible networks. You can deploy single-org networks for development or multi-org consortiums for production use.
Can I connect nodes from multiple companies?
Yes. ChainLaunch includes node sharing capabilities that let you connect and manage blockchain nodes across different organizations. You can generate invitations, share nodes bidirectionally, and sync external nodes — making consortium management straightforward.
Can ChainLaunch support production deployments, not just PoCs?
Yes. ChainLaunch is designed for both PoC and production environments. It includes RBAC, SSO, automated backups, HashiCorp Vault key management, audit logging, block explorer, and SLA guarantees. Book a call to discuss what your production setup requires.
What happens if I need to scale?
ChainLaunch can grow with your project — from a small proof of concept to a full multi-org production network. Contact us to discuss dedicated infrastructure, custom node counts, or any specific requirements.
How does ChainLaunch handle security and key management?
ChainLaunch implements role-based access control (RBAC), SSO integration (Okta, Auth0, Keycloak), comprehensive audit logging, and encrypted key storage. Enterprise customers get optional HashiCorp Vault integration for maximum compliance and control. All managed instances run on dedicated servers with SSH key-based access.

Ready to Secure Your Blockchain Assets?

Don't leave your blockchain assets vulnerable. Implement enterprise-grade key management with military-level security.

ChainLaunch Pro   Includes HashiCorp Vault integration, automated lifecycle management, HSM support, and premium security support. Pricing tailored to your organization.

David Viejo, founder of ChainLaunch

Talk to David Viejo

Founder & CTO · 6+ years blockchain · Responds within 24h

Questions about enterprise security? Contact us at support@chainlaunch.dev