Kaleido implements the following safeguards to ensure integrity and security of key materials, certificates, configuration specifications and levelDB blockchain data.
- Key materials generated upon node initialization
- Never leave the container in which they manifest
- AES-256 encrypted at rest
- EthWallet supports integration with cloud HSMs for transaction signing. Mandate is cloud provider support for the Ethereum curve - secp256k1
- Master encryption keys can be integrated with nodes upon creation for additional encryption of node file system and key materials. AWS KMS and Azure Key Vault
- No plaintext key material persistence for KMS integrated nodes. Cipher text stored on filesystem and decrypted material held in memory only
- All API calls accessing a user-owned encryption key are logged by the cloud provider and fully auditable
- All file systems AES-256 encrypted at rest
- For data in transit - HTTPS/WSS/Kafka - TLS 1.2 negotiable encryption is implemented
- Client side calls targeting a node or service ingress are TLS secured with strongly generated 256 bit security credentials.
- Kaleido uses salt hash verification against supplied application credentials to authenticate any inbound calls to the network; plaintext password is never persisted by Kaleido
- VPC Private Link can be configured to target a node's optional private ingress, keeping all traffic streams solely on AWS backbone