How do you solve getting to the secluded bitcoind to command it to sent bitcoins out?
IMO, the best solution is to walk a request to the box. You can also have the box connect out to a web server that provides it with transfer requests that then just have to be manually approved at the box. The most common transaction will be to move coins to the cold wallet, so all you need is an amount.
The secluded server will have a payment processor that will access the production database from behind a firewall, verify transactions for fraud and send the payments out.
Polling another box? Connections allowed only from select IPs?
While nothing should be allowed to connect in to the wallet box, processes on the wallet box can still reach out to other boxes.
Thanks for the replies.
I guess most newly incoming bitcoins can go straight to the cold wallet and have the exchange run on a manually updated hot wallet.
It's more the hot wallet I'm trying to understand. It is needed for the exchange to instantly process transactions directed by customers. So there'll always be a kind of command path going from website to wallet, no matter how far away you hide the hot wallet, and we'll have to trust that path we setup ourselves. A good hacker will find that path and command the bitcoind. So there's actually no need to trust our path if we can't trust our website.
Now, of course you can have the hot wallet pull for commands and transactions, but then.. how do you trust the content of those commands and transactions? Because, basically, that is that same public website with input from customers.
If we can't trust the website giving commands into the hot wallet, [edited:]how can we trust that same website to collect and offer the hot wallet valid and intended commands to pull?