Configure Encrypted Private Key Storage with a Key Management Service (KMS)


Daml Enterprise license required

Canton can use a KMS to protect Canton’s private keys at rest:

  1. Store Canton’s private keys in a node’s database in an encrypted form
  2. Upon startup, the KMS decrypts these keys for use by Canton.

The unencrypted keys are stored in memory so this approach increases security without impacting performance. This is a common approach used by KMS vendors; using a symmetric encryption key, called the wrapper key, to encrypt and decrypt the stored, private keys.

See Protect Private Keys With Envelope Encryption and a Key Management Service for more details.

Currently Canton supports encrypted private key storage with Amazon Web Services (AWS) KMS or Google Cloud Provider (GCP) KMS.