- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Configure session keys¶
Canton uses session keys to reduce expensive cryptographic operations during protocol execution, improving performance. By default, we use session encryption keys, which minimize the number of asymmetric encryptions and, consequently, the number of calls to an external KMS.
You can read more about the rationale and security considerations in Session encryption keys.
Extending the lifetime of session keys minimizes the need for repeated key negotiation or remote signing—but it also increases the window during which keys are stored in memory, raising the risk of compromise.
Increase session encryption keys lifetime¶
You can control how long a session encryption key remains active by adjusting the expire-after-timeout
values in your configuration. To globally increase the lifetime of session encryption keys,
increase the expire-after-timeout for both the sender-cache and receiver-cache.
canton.participants.participant1 {
caching {
session-encryption-key-cache {
# these are the default values
enabled = true
sender-cache {
maximum-size = 10000
expire-after-timeout = 10s
}
receiver-cache {
maximum-size = 10000
expire-after-timeout = 10s
}
}
}
}