I’ve recently been working on a project that required strong security measures for a cloud-based system responsible for signing blockchain transactions. At the heart of this requirement is the need to safely store the private key for the wallet used in these transactions. The challenge is amplified when you’re building a service that can sign transactions – automatically and without human oversight – which moves real cryptocurrency value.
Naturally, building a service like this introduces several security vulnerabilities. But beyond the software you write, you also have to consider the security of the server infrastructure itself. Any software running on the same server, even unrelated processes, can become an attack vector.
The Security Principle: Reduce Complexity
One of the core principles of good security is minimizing complexity. The less software running, the smaller your attack surface. Run only what’s essential, isolate the sensitive tasks, and eliminate everything else.
A practical approach is to offload the secure component of your system onto a separate server that does only that one thing. This allows you to lock it down tightly and avoid unintended side effects from unrelated software. While spinning up a dedicated server can be costly, a common alternative is to use a VPS (Virtual Private Server).
A VPS gives you what looks like a dedicated server, but in reality, it’s a software-defined slice of a physical machine shared with other users. It’s an efficient and affordable option, widely used across the internet, but it comes with trade-offs. You’re placing a great deal of trust in the virtualization software and the hosting provider. If their hypervisor has a flaw or is misconfigured, it’s conceivable that another tenant could access your files.
The Ideal: Dedicated Hardware, Minimal Trust
Ideally, you’d have an entire physical server dedicated exclusively to your secure cloud service. No virtualization, no shared infrastructure, just your code, your data, all under your control. That gets you much closer to the “trust no one” model.
We’re big fans of Raspberry Pi devices. We’ve been using them since the beginning and love how simple and reliable they are. Some time ago, we came across Mythic Beasts, a provider that offers hosted Raspberry Pi servers. The pricing is excellent, but we encountered two limitations:
- Operating System – They don’t offer Ubuntu by default. While Raspberry Pi OS is fine for general use, we prefer Ubuntu for its strong security track record and compatibility with industry-standard tools.
- Storage – Instead of using a local SD card, they rely on networked storage. It’s more convenient and cost-effective for them, but it introduces similar trust concerns you see with VPS setups. You’re again trusting that the shared storage infrastructure is secure.
So while Mythic Beasts is an intriguing option, it didn’t check all the boxes for our needs.
Enter: Best Hosting’s Raspberry Pi Servers
Then we found Best Hosting, a company that offers a more secure Raspberry Pi hosting model. They include a 32GB SD card pre-installed in the Pi, meaning the OS, applications, and all sensitive files are stored locally on the device itself. Even better, they let you send in USB drives to plug in for additional dedicated storage. That’s a rare level of flexibility and control.
You purchase the Raspberry Pi hardware and pay €99 per year for them to host it in their European datacenter. This setup, in our view, hits a sweet spot between affordability and true isolation.
Is Security Now “Solved”?
Of course not. No system is perfectly secure. But this model significantly reduces your attack surface:
- You own and control the physical hardware.
- The operating system and file storage are entirely local.
- You no longer need to trust a hypervisor, shared network storage, or underlying virtualization layers.
At this point, your biggest exposure is the Ethernet cable, and anything that comes through it. But since you’re building a cloud service, a network connection is unavoidable. What is avoidable is running unnecessary services, misconfigured daemons, or bloated software stacks.
With a dedicated, minimal system, you can lock everything down tightly. Install only what you need. Disable or remove everything else. Choose a hardened, well-maintained OS, and focus your security efforts entirely on the software you want running.
It’s not a silver bullet—but it’s a smart, focused step toward building a secure, low-trust infrastructure for sensitive operations like blockchain signing.
Interested in trying it – setting up your own secure hosted Raspberry Pi?
I’ve documented the process of getting your fresh new Raspberry Pi setup nice and secure over on our Raspberry Pi resources mini site:
