Security

When using Document Rails for production credential issuance, it's important to correctly implement various security measures related to signing key provision, user management, etc.

This document outlines some advices on how to keep your Document Rails projects secure and ready for production usage.

User management

Avoid using the superadmin role as much as possible, allocating specific roles for individual users depending on their needs instead.

For example, if you programatically verify credentials using a dedicated user, attach the verify role to them, reducing the API exposure scope.

Signing keys

Key types

For production, it is highly recommended to utilize external key management systems for Document Rails usage.

Document Rails supports Azure Key Vault and Google Cloud KMS.

Remote key management systems allow producing cryptographic signatures without Document Rails having direct access to the signing key material.

Key purposes

In general, you should avoid using the same signing key for all purposes. For example, if your project uses OID4VP and recipes, it is a good idea to have two separate keys for signing credentials during the issuance process and OID4VP verification flow.