// GLOSSARY -- SECURITY & COMPLIANCE

What is Key Management?

1 min read Updated

Key management encompasses the practices and systems for securely generating, storing, distributing, rotating, and revoking cryptographic keys — the foundation of all blockchain wallet security.

WHY IT MATTERS

The security of every blockchain wallet ultimately rests on key management. It doesn't matter how sophisticated your spending controls are if the private key is stored in a .env file on a compromised server. Key management is the bedrock.

For agent wallets, key management faces unique challenges. The key must be accessible to software (for programmatic signing) but protected from attackers, other agents, and even the agent's own LLM (which could be manipulated through prompt injection to exfiltrate key material).

Modern approaches include HSMs (Hardware Security Modules), TEEs (Trusted Execution Environments), MPC key management services (Turnkey, Fireblocks), and cloud KMS solutions (AWS KMS, GCP Cloud HSM). Each offers different tradeoffs in security, latency, cost, and operational complexity.

HOW POLICYLAYER USES THIS

PolicyLayer separates key management from spending control. You handle key security with your preferred solution (MPC, HSM, cloud KMS). PolicyLayer handles what gets signed — ensuring transactions comply with policies regardless of how keys are managed.

FREQUENTLY ASKED QUESTIONS

What's the safest way to manage agent wallet keys?
Use a dedicated key management service (Turnkey, Fireblocks) or cloud KMS. Never store raw keys in environment variables, code, or config files. Use MPC for distributed security. Rotate keys regularly.
Should the LLM ever have access to private keys?
Absolutely not. The LLM should never see, generate, or process private key material. Key management should be handled by the runtime infrastructure, completely isolated from the LLM's context.
How often should agent keys be rotated?
Regularly — monthly or quarterly for routine rotation, immediately if compromise is suspected. Smart account architectures make key rotation easier since the account address doesn't change when you swap the signing key.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.