Kaleido Open Menu
Close Menu
Log In Try It Free

CloudHSM Introduction

CloudHSM Signer

Kaleido offers a CloudHSM Signer service that allows you to sign transactions using off-platform keys, while benefiting from a fully-managed signing experience including nonce management and REST APIs.

Your keys never leave your signing device that is hosted in your own private cloud account. This can be a full Hardware Security Module (HSM) backed cloud service, or a software key vault designed for key security.

The CloudHSM Signer service supports the following backends:

  • AWS CloudHSM
  • Azure Key Vault
  • Hashicorp Vault with Ethereum Signing extension

For the rest of the docs we use the term "HSM" to refer to all of these external signing devices.

In each backend, the signing keys are generated and maintained in the HSM backend and are completely under your control.

The keys are never shared with Kaleido.

The Kaleido CloudHSM Signer service queries the backend to discover available signing keys and sends the payload to the backend to be signed. Once the signature is returned, the Kaleido service performs the necessary post-processing and submits the transaction to the chain.

The CloudHSM Signer service can be used as an API surface for Ethereum's JSON-RPC requests, as if it is an Ethereum node with a built-in signing wallet. When unsigned transaction payloads are sent to the service's RPC endpoint in an eth_sendTransaction request, according to the Ethereum JSON-RPC specification, the service intercepts the call and uses the from field as the signing key reference and asks the HSM backend to sign the payload. After signing, it automatically submits the signed transaction to the blockchain with an eth_sendRawTransaction request.

The service also intercepts eth_accounts and personal_listAccounts calls, and returns the list of signing accounts it has discovered from the backend.

In short, your application works identically to using node-based signing keys. So you can use a secure HSM device interchangeably with simple node signing at various stages in your development cycle.

Support for the REST API Gateway

The CloudHSM Signer service is pre-integrated with the REST API Gateway.

This frees your application code from all of the complexities of a thick web3 library, managing horizontal scale and ordering challenges (referred to as "nonce management"), and provides you instead with a REST API auto-generated from your on-chain logic that's convenient and easy for any developer.

You make a single simple API call to send your transaction, and Kaleido takes care of the rest. We call out to your off-platform HSM signing device to sign each transaction, once the binary (RLP encoded) payload is built and the ordering information (nonce) is assigned.

When the kld-from parameter of a REST call to the API Gateway corresponds to a signing account known to a Cloud HSM Signer instance in the same membership, the gateway will automatically forward the transaction payload to the CloudHSM Signer service to sign. In turn that will call the HSM backend to sign the payload. This integration offers a seamless experience for signing transactions whether you are using Web3 programming against the service's RPC endpoint, or use the REST style calls with the API Gateway.