Hi all,
I am setting up a Canton on Fabric environment using a distributed domain topology with GCP KMS and had a few questions regarding the provisioning of Canton keys via GCP KMS.
I am including a table of cryptographic keys used by Canton extracted from the docs, along with their configurability in GCP KMS for reference.
Canton Component | Keys | Configurable in GCP KMS |
---|---|---|
Common Node Keys | ||
Admin API TLS certificate | No | |
Participant node keys | ||
Participant namespace signing key | Yes | |
Signing key | Yes | |
Participant encryption key | Yes | |
View encryption key | No | |
Session encryption key | No | |
Ledger API TLS key | No | |
Domain Topology Manager keys | ||
Domain namespace signing key | Yes | |
Signing key | Yes | |
Fabric sequencer keys | ||
Signing key | Yes | |
Fabric peer node certificate (for mTLS) | No | |
Fabric peer node private key (for mTLS) | No | |
Client identity certificate | No | |
Client private key | No | |
Public API TLS certificate | No | |
Mediator keys | ||
Signing key | Yes | |
Remote Canton console keys | ||
TLS client certificate | No | |
TLS private key | No |
Questions:
- Some of the keys are not configurable in KMS. I understand that files for certificate/private key pairs for TLS/mTLS are referenced in the node’s config files.
How can the View encryption key and Session encryption key for the participant node configured? - Why are only some keys configurable in KMS but not all of them?
- Can any of the KMS-configurable keys technically be identical across each node? (i.e can the same namespace key, signing key be used by 2 different participant nodes and the domain manager node?)
- Is there a recommendation on a minimal subset of unique keys to use for each key type across Canton nodes in such that the total number of unique keys required is minimized while ensuring key security is still adequate according to best practices from a security perspective? Assume that the nodes are entirely owned by a single organization if it’s relevant.
- Is there a different recommendation for key provisioning if some of the nodes are owned by a different organization? I.E different legal entity owning a separate Sequencer and Participant node in an entirely separate GCP network, as in the case with a federated ledger architecture
Thank you!