Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.canton.network/llms.txt

Use this file to discover all available pages before exploring further.

This section was copied from existing reviewed documentation. Source: docs/src/validator_operator/validator_security.rst Reviewers: Skip this section. Remove markers after final approval.

Using an external KMS for managing participant keys

In the following, we describe how to configure a validator so that its participant keys are managed by an external KMS. This guide assumes that you are using the Helm-based deployment of the validator. KMS usage is not currently supported for Docker Compose-based deployments.

Migrating an existing validator to use an external KMS

Our recommended approach for switching to use KMS is to:
  1. Set up a fresh validator from scratch with the desired KMS configuration. (Rest of this guide.)
  2. Transfer all relevant assets from the existing non-KMS validator to the new KMS-enabled validator.
  3. Retire the non-KMS validator.

Configuring a fresh validator to use an external KMS

Only configuration changes to the splice-participant Helm chart are required to deploy a KMS-enabled validator. Also recall that you need to deploy a fresh participant in order for KMS to be used correctly, which implies that you will need to setup the remaining validator components afresh as well (see above).

Google Cloud KMS

Amazon Web Services KMS