Security in versions above 2.0.0

Hello community,

I have a question regarding the Daml version above 2.0.0:

How is the encryption of communication between Domain and Participants done? When capturing traffic with the wireshark tool, the messages I can capture between the domain and the participant only contain information up to the transport layer (TCP protocol). Is there any filter available to capture these messages?

Thank you,


Hi @Derek

In a production environment, messages floating between participant and domain are encrypted using TLS. By default, TLS is disabled.
Even with TLS disabled, the message payload is encrypted with an ephemeral key, because the sequencer is not allowed to see payloads. You can choose between the crypto providers Tink and JCE, but you can’t choose “no encryption”. (Perhaps you can configure Tink / JCE to skip encryption, but I haven’t tried that out.)

For educational purposes, we have created config options that will dump message payloads to the log. Try to include this into your Canton config:

canton.monitoring.logging {
  event-details = true
  api.message-payloads = true

Make sure to enable debug logging when running canton:

bin/canton -v -c myConfig.conf

I hope this helps!

1 Like

Detailed logging is also explained here: