Key Management

Kaleido implements the following safeguards to ensure integrity and security of key materials, certificates, configuration specifications and levelDB blockchain data.

  • Key materials generated upon node initialization
  • Never leave the container in which they manifest
  • AES-256 encrypted at rest
  • EthWallet supports integration with cloud HSMs for transaction signing.  Mandate is cloud provider support for the Ethereum curve - secp256k1
  • Master encryption keys can be integrated with nodes upon creation for additional encryption of node file system and key materials.  AWS KMS and Azure Key Vault
  • No plaintext key material persistence for KMS integrated nodes.  Cipher text stored on filesystem and decrypted material held in memory only
  • All API calls accessing a user-owned encryption key are logged by the cloud provider and fully auditable
  • All file systems AES-256 encrypted at rest
  • For data in transit - HTTPS/WSS/Kafka - TLS 1.2 negotiable encryption is implemented
  • Client side calls targeting a node or service ingress are TLS secured with strongly generated 256 bit security credentials.
  • Kaleido uses salt hash verification against supplied application credentials to authenticate any inbound calls to the network; plaintext password is never persisted by Kaleido
  • VPC Private Link can be configured to target a node's optional private ingress, keeping all traffic streams solely on AWS backbone