Non-custodial key management.
Keys never touch the app.
Eraivo manages signing keys inside a hardware security module behind a KMS boundary, so application code can request signatures without ever holding key material.
Keys are generated inside the HSM and used through a KMS signing interface. The application calls for a signature; the key never leaves the enclave.
This removes the most common Web3 key-exfiltration path: plaintext keys sitting in a hot wallet in process memory.
Key handling is built for least privilege:
- —Key rotation without redeploying application code.
- —Per-operation signing policy and scoping.
- —Isolation between application and signing boundary.
- —Auditable signing requests.
What is the difference from a hot wallet?
A hot wallet holds plaintext keys in memory. Eraivo keeps keys in an HSM; the application only requests signatures.
How does this compare to MPC?
Both avoid a single plaintext key in app memory. Eraivo's model is HSM/KMS-backed signing with auditable, policy-scoped requests.
Can keys be rotated?
Yes, without redeploying application code.