Configure External Key Storage with a Key Management Service (KMS)

Important

Daml Enterprise license required

Canton can delegate all asymmetric decryption and signing operations to a KMS. In that mode, private keys are stored in the KMS, not in Canton’s own storage nor in memory. Decryption and signing operations each require an API call to the KMS. A Canton node still stores the corresponding public keys in its stores so that it can verify signatures and encrypt messages without having to rely on the KMS.

See Externalize Private Keys With a Key Management Service for more details.

Currently Canton supports external key storage with Amazon Web Services (AWS) KMS or Google Cloud Provider (GCP) KMS.

• AWS Setup guide
• GCP Setup guide
• Interoperability with other nodes
• Participant Node Migration
• Manual KMS key rotation