- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Select a KMS mode of operation¶
Canton supports using a Key Management Service (KMS) to increase the security of stored private keys. For Canton to actually use a KMS, you need to decide and configure one of the two independent ways to use this service:
Enable encrypted private key storage
In this mode, Canton generates the private keys internally, and the KMS is used only to protect those keys at rest (i.e., the keys are encrypted before being stored in Canton’s database). This offers an additional layer of security without requiring external key generation.
-
In this mode, the private keys are generated and stored entirely within the KMS. Canton never sees the raw private key material and interacts with the KMS only to perform cryptographic operations.
Note
Throughout this documentation, these modes might be referred to as envelope encryption and external keys, respectively.