I am new to blockchain development and started playing with cardano-wallet as it offered a comprehensive and easy to use API for interacting with the blockchain. I quickly realized though that all private keys are stored in the wallet server itself. This is fine if you want to create a full fat wallet like daedalus for a single user, but what about a light wallet that doesn’t need to run a node but at the same time you want to have the private keys locally to the device and not on the wallet server running somewhere on the internet.
In the api there is a method submit external transaction which is fine if what you need to do is sign locally ->seriliaze and then send to the wallet server.
-What about other operations though that require private keys, such as address generation?
-Can cardano-wallet be used with the keys stored locally to the client and not the wallet server? Which operations?
-Is there a way to prevent cardano-wallet from storing the private keys and just use it as an API passing it the digital signature?
-Assuming that you store the private keys on cardano-wallet server how would it differentiate between different multiple clients with different wallets in a secure way?
-Is cardano-wallet meant to be used as wallet server for multiple different clients each with their own set of wallets? If so is there best practice to do this securely? In the adrestia architecture page it reads
cardano-wallet: An HTTP REST API is recommended for 3rd party wallets and small exchanges who do not want to manage UTxOs for transactions themselves. Use it to send and receive payments from hierarchical deterministic wallets on the Cardano blockchain via HTTP REST or a command-line interface.
By that I assume that it is meant to be used that way but then maybe you need to handle the user sandboxing yourself in an service user-account based way. Is this assumption correct?