- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Configure session keys¶
Canton uses session keys to reduce expensive cryptographic operations during protocol execution, improving performance. There are two types: session encryption keys, which reduce the number of asymmetric encryptions, and session signing keys, which help avoid frequent calls to external signers such as a KMS.
You can read more about the rationale and security considerations in Session Keys.
Extending the lifetime of session keys minimizes the need for repeated key negotiation or remote signing—but it also increases the window during which keys are stored in memory, raising the risk of compromise.
Increase session encryption keys lifetime¶
You can control how long a session encryption key remains active by adjusting the expire-after-timeout
values in your configuration. To globally increase the lifetime of session encryption keys,
increase the expire-after-timeout for both the sender-cache and receiver-cache.
canton.participants.participant1 {
caching {
session-encryption-key-cache {
# these are the default values
enabled = true
sender-cache {
maximum-size = 10000
expire-after-timeout = 10s
}
receiver-cache {
maximum-size = 10000
expire-after-timeout = 10s
}
}
}
}
Increase session signing keys lifetime¶
When using external KMS (Key Management Service) provider you can control how
long a session signing key remains active by adjusting the key-validity-duration
and the key-eviction-period. The key-eviction-period should always be longer than the key-validity-duration
and at least as long as the sum of confirmation_response_timeout and mediator_reaction_timeout, as configured
in the dynamic Synchronizer parameters.
canton.participants.participant1.crypto.kms {
session-signing-keys {
# these are the default values
enabled = true
key-validity-duration = 5m
cut-off-duration = 30s,
key-eviction-period = 10m,
signing-algorithm-spec = ed-25519,
signing-key-spec = ec-curve-25519,
}
}