- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Key management service (KMS) configuration¶
By default Canton keys are generated in the node and stored in the node’s primary storage. We currently support a version of Canton that can use a KMS to either: (a) protect Canton’s private keys at rest or (b) protect the private keys both at rest and at use by storing the keys in the KMS.
Throughout these sections, we will sometimes refer to option (a) as envelope encryption, and option (b) as external keys.
You can find more background information on this key management feature in Secure cryptographic private key storage. See Protect private keys with envelope encryption and a Key Management Service if you want to know how Canton can protect private keys while they remain internally stored in Canton using a KMS, or Externalize private keys with a Key Management Service for more details on how Canton can enable private keys to be generated and stored by an external KMS.
The following sections focus on how to set up a Participant Node to run with a KMS; however, most configurations also apply to Sequencer and Mediator.
-
We currently support three alternatives:
Driver(-based) KMS allows users to integrate their own KMS provider by implementing the necessary hooks using Canton’s KMS Driver API. More information on how to implement a Canton KMS Driver can be found in the Canton KMS Driver developer guide.
* only available in the Enterprise Edition.
-
You can choose between:
Enable encrypted private key storage with KMS – sometimes referred to as envelope encryption, protects Canton’s private keys only at rest.
Enable external key storage with a KMS – sometimes referred to as external KMS keys, private keys are generated and stored entirely within a KMS.
-
How to migrate between a non-KMS and a KMS node, and vice-versa.
-
How to rotate existing KMS-managed keys using Canton console commands.