- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Migrate to encrypted private key storage with KMS¶
To migrate from a non-encrypted key storage to an encrypted private key storage using a KMS with an externally hosted symmetric wrapper key, you only need to configure a Participant (or any other node) to operate in this mode, as explained here. The process is seamless — after restarting the Participant, the new configuration is picked up and Canton’s private keys are automatically encrypted and stored.
Revert encrypted private key storage¶
Encrypted private key storage can be reverted back to unencrypted storage. To prevent accidental reverts, simply deleting the private-key-store configuration does not revert to unencrypted storage. Instead, the following configuration must be added, and the node restarted:
canton.participants.participant1.crypto.private-key-store.encryption.reverted = true # default is false
Warning
This forces Canton to decrypt its private keys and store them in clear; it is not recommended.
Encrypted private key storage can be enabled again by deleting the reverted field and reconfiguring the KMS.