This guide shows how to integrate the Rust secure signer into your existing Python Coldstar SOL CLI.
The Rust signing core will replace Python-based key handling with secure, memory-locked operations. The integration is designed to be minimally invasive to your existing codebase.
Before (Insecure):
┌─────────────────────────────────────────┐
│ Python CLI │
│ ├─ Load key from file │
│ ├─ Key in Python memory (INSECURE) │
│ └─ Sign transaction in Python │
└─────────────────────────────────────────┘
After (Secure):
┌─────────────────────────────────────────┐
│ Python CLI │
│ ├─ Load encrypted container │
│ └─ Call Rust signer ──────────┐ │
└─────────────────────────────────┼────────┘
▼
┌─────────────────────────┐
│ Rust Signing Core │
│ ├─ Decrypt in locked │
│ │ memory │
│ ├─ Sign transaction │
│ └─ Zeroize & return │
└─────────────────────────┘
After integration, verify:
- Plaintext keys are deleted (or securely backed up offline)
- Encrypted containers are created with strong passphrases (12+ characters)
- Passphrase prompts use
getpass(not visible on screen) - No plaintext keys are logged or printed
- File permissions on encrypted containers are restrictive (
chmod 600) - Backup encrypted containers securely
- Test signing with correct and incorrect passphrases
If you need to rollback to the old system:
- Keep your original
keypair.jsonbacked up (securely!) - Keep the old wallet/transaction code in a separate branch
- Test thoroughly before deleting plaintext keys
- FFI mode: ~0.1ms overhead per signature (negligible)
- CLI mode: ~10-50ms overhead per signature (process startup)
For production with high throughput, use FFI mode. For development or occasional use, CLI mode is fine.
The Rust library isn't built or not found. Build it:
cd rust_signer
cargo build --releaseYour system may have limits on locked memory. Increase the limit:
# Temporary (current session)
ulimit -l unlimited
# Permanent (add to /etc/security/limits.conf)
* soft memlock unlimited
* hard memlock unlimited- Check that you're using the correct passphrase
- Verify the encrypted container file isn't corrupted
- Try recreating the container from the original key
- Integrate with UI: Add passphrase prompts to your UI
- Key Rotation: Implement periodic key rotation
- Multi-Sig: Extend for multi-signature support
- Hardware Integration: Consider HSM integration for production
For issues or questions:
- Check the README.md and documentation/SECURITY.md
- Review the example code in python_signer_example.py
- Open an issue with detailed logs and steps to reproduce