# Attestor Security ## Security of Attestor Nodes The security of attestor nodes is critical and must be safeguarded to protect both node maintainers and network clients. A key security concern in the zkTLS protocol is how to enforce the computational integrity of the attestor node. Note this aspect is not covered by the original protocol security. To strengthen attestor security, the NexaID adopts a hardware-based approach. Specifically, [Phala’s TEE technology](https://docs.phala.com/phala-cloud/what-is/what-is-phala-cloud) is integrated with the NexaID attestor node software to ensure nodes always execute correctly, while critical assets such as node keys remain protected and securely utilized. ### Key Management The attestor node leverages Phala’s TEE solution, including a secure Key Management Service (KMS), to safeguard node keys throughout their entire lifecycle. These node keys are the most critical assets within the attestor node, primarily used for signing zkTLS sessions and issuing proofs. Key generation is performed exclusively by the KMS inside the TEE, ensuring that the attestor node software never has direct access to the key material. Signing operations can only be performed within TEE, and only after the correct execution of the zkTLS protocol. ### Version Managemnt Another security concern involves the attestor’s DevOps process. To prevent attacks such as code injection or malware hijacking, only official, verified software versions are allowed to be deployed and maintained within the network. This policy is further enforced by TEE, as the entire attestor node software always runs inside the enclave, ensuring runtime integrity and protection against unauthorized modifications. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nexaid.gitbook.io/nexaid/nexaid/attestor-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.