Dfns Secures $16M Series A Funding – See the Full Announcement

Get started
Product

IBM OSO Support

Thibaud Genty
Thibaud Genty
October 16, 2025
Read time:

Dfns’ wallet platform is now integrated with IBM OSO, enabling airgapped cold storage operations from a single platform.

Dfns is extending its integration with IBM by adding support for the IBM Offline Signing Orchestrator (OSO). This completes our suite of security options on IBM infrastructure, which already includes IBM Crypto Express HSMs and Hyper Protect Virtual Servers (HPVS).

The hardest part of institutional cold storage isn’t keeping keys offline, it’s using them safely. Manual signing processes are slow and error-prone. OSO solves this by creating a digital air gap. It acts as a secure, automated bridge between the Dfns platform and an institution’s fully isolated signing environment. This replaces risky manual workflows with a policy-based, automated system, bringing cold storage security into a single, unified wallet infrastructure.

Why IBM OSO matters for financial institutions

By connecting Dfns with OSO, institutions can now manage all their digital assets from one control plane, automating cold storage operations with unmatched security and scale. This brings three main benefits:

  1. Policy-driven hybrid custody: Create smart governance rules in Dfns to automatically route transactions to the right signing environment. For example, send large transfers to OSO for cold signing, while smaller ones are handled by hot wallets running in IBM Hyper Protect Virtual Servers, all from a single interface.
  2. Scalable cold storage operations: Replace slow, manual air-gapped workflows with automated, secure processing. Dfns’ OSO integration supports thousands of offline transactions per day, helping your custody operations scale without losing security.
  3. Unified and compliant audit trails: Dfns records every step of a transaction, from the initial request to the multi-party approvals enforced by OSO, into one immutable audit log. This gives you a full, verifiable record for compliance and reporting.

Transaction Workflows Using Dfns and IBM OSO

When a transaction that requires cold storage signing is initiated through Dfns, it triggers an automated workflow built on OSO’s secure architecture. The process ensures that online and offline systems are never directly connected, using a “digital airlock” design.

OSO runs on IBM Z hardware with three isolated environments, or logical partitions (LPARs):

  • LPAR 1 (Online Zone): Connects to the Dfns platform.
  • LPAR 2 (Intermediary Zone): Acts as the secure “airlock” between the two sides.
  • LPAR 3 (Offline Zone): Hosts the signing service and private keys, fully disconnected from the internet.

These partitions communicate only through secure HiperSockets, and OSO’s orchestrator guarantees that LPAR 1 and LPAR 3 can never connect, even indirectly.

Transaction Flow

  1. Initiation and hand-off: An operator starts a transaction in Dfns. According to the wallet policy, Dfns sends the request to OSO’s online systems in LPAR 1. The transaction becomes a “document” waiting for approval.
  2. Auditor approval: The document enters the Pre-Confirmation Queue. Designated auditors must review and approve it. OSO enforces that a set number of auditors (a quorum) approve before it can move forward, ensuring multi-party control.
  3. Entering the airlock: After approval, the signing phase begins. The connection between LPAR 1 and LPAR 2 opens, and the approved document moves into a secure Intermediary Zone (LPAR 2). This zone can include a time-based delay for added security.
  4. The digital air-gap in action: The orchestrator now executes a strict sequence:
    1. It disables the link between LPAR 1 and LPAR 2.
    2. Only then does it enable the link between LPAR 2 and the Offline Zone (LPAR 3). At this point, the offline environment is fully isolated from any online system.
  5. Signing in isolation: The transaction document moves from the airlock to the signing service in LPAR 3, where it’s signed using the cold private key.
  6. Secure return journey: Once signing is done, the process reverses:
    1. The signing components shut down.
    2. The LPAR 2–3 connection is disabled.
    3. The LPAR 1–2 connection is re-enabled.
      The signed transaction returns to the Post-Confirmation Queue in the Online Zone.
  7. Final approval and broadcast: Auditors perform a last review in the Post-Confirmation Queue. Once approved, the signed transaction is securely sent back to Dfns and broadcast to the blockchain. Every step in this process is recorded in a cryptographically verifiable audit log maintained by Dfns.

Dfns + IBM: A Complete Institutional Wallet Stack

With OSO support, Dfns now offers a complete, composable security stack on IBM infrastructure. Clients can leverage:

  • IBM Crypto Express HSMs for FIPS-certified hardware key storage
  • IBM Hyper Protect Virtual Servers for confidential runtime protection for the code
  • IBM Offline Signing Orchestrator for automated and airgapped signature generation

Together, these components let financial institutions build secure, institutional-grade digital asset solutions without compromise.

Contact us at sales@dfns.co to learn more.

Authors

Thibaud Genty

Thibaud Genty

Senior Rust Software Engineer

Thibaud Genty is a Senior Software Engineer at Dfns, specializing in cybersecurity, cryptographic APIs, and key management infrastructure.

Related articles

Product

IBM HPVS Support

Thibault de Lachèze-Murel
Thibault de Lachèze-Murel
October 14, 2025
Product

SSO Support with OIDC

Adrien Moreau
Adrien Moreau
October 9, 2025
Product

Sonic Tier-1 Support

Pierre Beugnet
Pierre Beugnet
October 8, 2025
Request a demo

One of our security experts will get in touch as soon as possible.

Thanks for your interest.

Please, check your inbox.

Something went wrong, please try again.