Introduction

When integrating your product with Turnkey, it is critical to understand which security tasks are Turnkey’s responsibility, and which tasks are your responsibility. Turnkey provides secure, scalable, and programmable crypto infrastructure. Flexibility is at the core of our product, which means you have the freedom to integrate Turnkey in ways that may or may not fully meet your product’s security requirements. As detailed below, you are responsible for securing both your Turnkey organization, and your integration with Turnkey.

Turnkey’s responsibility: Security of the platform

Turnkey is responsible for securing the infrastructure that runs the services offered by Turnkey. This includes the security of all Turnkey-authored code, from the code running within our enclaves to our SDKs, and everything in between. Turnkey commits to securing the Confidentiality, Integrity, and Availability of the Turnkey platform. Turnkey’s responsibilities therefore include:
  • Maintaining the confidentiality of secret materials stored with Turnkey, in particular but not limited to cryptocurrency private keys;
  • Ensuring the integrity of all end user requests that are made to Turnkey’s system and all data associated with those requests; and
  • Providing constant availability of Turnkey’s services.
Turnkey also offers multiple options for various components of Turnkey’s product in order to accommodate customers with varying security and user experience profiles. This allows each Turnkey customer to choose a security approach tailored to their specific needs.

Customer’s responsibility: Security using the platform

Customers are responsible for the decisions they make when using Turnkey. Each customer’s unique product and threat model play a critical role in determining the appropriate configurations and integration patterns, including choices that could impact security. Customers are responsible for securely integrating their product with Turnkey. Turnkey provides extensive documentation and examples for building multiple products, including guidance on authentication flows, appropriate feature selection, credential management, and more. Each customer’s implementation choices differ significantly based on the unique integration of Turnkey, and therefore the ultimate responsibility remains with the customer to select the right approach. In addition, customers are responsible for securing their Turnkey organizations. This requires the proper configuration for the root quorum, appropriate backups for authenticators, and properly securing authenticator credentials, such as API keys.

Illustrations of the shared responsibility model

Authentication and Authorization

  • Turnkey is responsible for ensuring authentication correctness and that any action taken within an authenticated context is unable to exceed previously granted permissions.
  • Customers are responsible for ensuring that authorization permissions are appropriately configured for each user and that user authentication credentials are securely managed.

Policies

Turnkey has built and maintains a policy engine, which is the foundation for granular controls and permissions when using Turnkey. Customers are able to use the policy engine to define key- and wallet-use policies specific to their needs.
  • Turnkey is responsible for ensuring that policies are always evaluated correctly, reflecting the policy as authored by the customer.
  • Customers are responsible for authoring valid policies that address their specific key and wallet permissions and usage requirements.

Additional guidance on applying the shared responsibility model

Turnkey provides comprehensive documentation to help customers effectively manage their responsibilities within the shared responsibility model: