Key Management Service (KMS) Setup

Important

Daml Enterprise license required

By default Canton keys are generated in the node and stored in the node’s primary storage. We currently support a version of Canton that can use a KMS to either: (a) protect Canton’s private keys at rest or (b) generate and store the private keys itself.

You can find more background information on this key management feature in Secure Cryptographic Private Key Storage. See Protect Private Keys With Envelope Encryption and a Key Management Service if you want to know how Canton can protect private keys while they remain internally stored in Canton using a KMS, or Externalize Private Keys With a Key Management Service for more details on how Canton can enable private keys to be generated and stored by an external KMS.

The following sections describe how to enable KMS support in Canton and how to setup each mode of operation.

• Configure a KMS
  • Configure Amazon Web Services (AWS) KMS
  • Configure Google Cloud Provider (GCP) KMS
• Configure Encrypted Private Key Storage with a KMS
  • AWS Setup guide
  • GCP Setup guide
• Configure External Key Storage with a KMS
  • AWS Setup guide
  • GCP Setup guide
  • Interoperability with other nodes
  • Participant Node Migration
  • Manual KMS key rotation