HomeThe Kaleido PlatformArchitecture ReferenceKey Management & Security

Key Management & Security

Kaleido implements the following safeguards to ensure integrity and security of key materials, certificates, configuration specifications and levelDB blockchain data.

  • Key materials generated upon node initialization
  • Never leave the container in which they manifest
  • AES-256 encrypted at rest
  • EthWallet supports integration with cloud HSMs for transaction signing.  Mandate is cloud provider support for the Ethereum curve – secp256k1
  • Master encryption keys can be integrated with nodes upon creation for additional encryption of node file system and key materials.  AWS KMS and Azure Key Vault
  • No plaintext key material persistence for KMS integrated nodes.  Cipher text stored on filesystem and decrypted material held in memory only
  • All API calls accessing a user-owned encryption key are logged by the cloud provider and fully auditable
  • All file systems AES-256 encrypted at rest
  • For data in transit – HTTPS/WSS/Kafka – TLS 1.2 negotiable encryption is implemented
  • Client side calls targeting a node or service ingress are TLS secured with basic access authentication credentials
  • Kaleido uses salt hash verification against supplied application credentials to authenticate any inbound calls to the network; plaintext password is not stored by Kaleido
  • VPC Private Link can be configured to target a node’s optional private ingress, keeping all traffic streams solely on AWS backbone