Key Management

Kaleido implements the following safeguards to ensure integrity and security of key materials, certificates, configuration specifications and levelDB blockchain data.

• Key materials generated upon node initialization
• Never leave the container in which they manifest
• AES-256 encrypted at rest
• EthWallet supports integration with cloud HSMs for transaction signing. Mandate is cloud provider support for the Ethereum curve - secp256k1
• Master encryption keys can be integrated with nodes upon creation for additional encryption of node file system and key materials.  AWS KMS and Azure Key Vault
• No plaintext key material persistence for KMS integrated nodes. Cipher text stored on filesystem and decrypted material held in memory only
• All API calls accessing a user-owned encryption key are logged by the cloud provider and fully auditable
• All file systems AES-256 encrypted at rest
• For data in transit - HTTPS/WSS/Kafka - TLS 1.2 negotiable encryption is implemented
• Client side calls targeting a node or service ingress are TLS secured with strongly generated 256 bit security credentials.
• Kaleido uses salt hash verification against supplied application credentials to authenticate any inbound calls to the network; plaintext password is never persisted by Kaleido
• VPC Private Link can be configured to target a node's optional private ingress, keeping all traffic streams solely on AWS backbone