Azure Key Vault Signer

Key Management Backed by Azure Key Vault

Kaleido makes it easy to utilize Azure Key Vault to manage keys and sign and submit transactions.
What it is

Azure Key Vault Signer

The Azure Key Vault provides hardware security modules (HSM) that are maintained in the Azure Cloud. This allows client total control of their cryptographic materials in hardware and firmware without being exposed to any operators including Microsoft. Using an HSM based keys management provides the highest level of security.

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions. The Kaleido service communicates with Azure Key Vault via HTTP over TLS to discover the list of signing accounts and sending it payload to sign. During the entire process the signing keys stay safe inside the customer's Azure Key Vault instance and are never shared with Kaleido.

Create and Configure a Kaleido CloudHSM Signer Service

Azure KeyVault Signer has the ability to interact with the Key Vault in Azure to sign and send transactions to an Ethereum node in the Kaleido environment.

Sign Transactions Using Azure Key Vault

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions.

Total Control

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions.

Create a Kaleido Cloud HSM Service

Creation of Kaleido CloudHSM service in Kaleido is a two step process. First, you specify the type and access details to Azure Key Vault as a configuration under the environment. This can be referenced by one or more CloudHSM service instances created in the same membership. Next you create the CloudHSM service using the configuration created belo.

Create CloudHSM configuration for Azure Key Vault

The configuration for Azure Key Vault has the following mandatory parameters:

The following is a sample POST request to create an Azure key vault cloudhsm configuration:

Create Cloud HSM service

Using the configuration created above, cloud HSM service can be created using the request fields:

FieldUsagenameUser-defined name for the servicemembership_idID of membership under which this service is availableserviceType of service. Must be cloudhsmdetails-- cloudhsm_idID of the configuration created in the previous step

The following is a sample POST request to create a Cloud HSM service that uses an Azure Key Vault backend provider:

 "name": "cloudhsm-azure",
 "membership_id": "",
 "service": "cloudhsm",
 "details": {
   "cloudhsm_id": ""

Transaction Signing with Azure Key Vault

Transactions can be sent to the Kaleido CloudHSM service by specifying a from address that corresponds to a SECP256K1 type key that is present in the Azure Key Vault. Any of RPC, WSS or the API Gateway interfaces can be used to send transactions. The URLs for the interfaces can be obtained by querying the service's /status route

A sample GET request to obtain the service status is as below:

When a eth_sendTransaction request is received by the Kaleido CloudHSM service, it uses the from address to determine whether the configured backend cloud HSM contains the keys for the address. The Kaleido CloudHSM service sends a /sign request with the KEY ID of the from address and the transaction payload to Azure Key Vault to sign. If the request succeeds, Key Vault returns the signature, from which the Ethereum signature parameters - R, S and V are extracted, as well as making sure the S value is compatible with Ethereum's malleability protection rule, and included in the transaction before sending it to the Ethereum blockchain node in the Kaleido environment that the service is bound to.

Why Kaleido

Everything You Need to Build Enterprise-Grade Blockchain and Digital Asset Solutions on Azure

Kaleido's blockchain platform makes it radically simple for businesses to create complete web3 networks and applications. With just a few clicks, you can launch a blockchain network, deploy it globally, set up governance, and start plugging in familiar services.

Quickly Launch Blockchain

Launch blockchain networks in minutes
Choose from leading protocols
Select permissioned chains, appchains,  sidechains, or consortium chains
Deploy on AWS, Azure or on-prem
Stand up nodes worldwide in regions of your choice

Simplify Development to Get to
Production Fast

Access 40+ plug-and-play services for wallets, key management, storage, data, and more
Automate management and deployment with our fully API-enabled platform
Turn any smart contract into familiar APIs with our smart contract API generator
Make digital assets, NFTs, and consortia easy with our dedicated solutions
Mint, manage, and burn tokens at scale with robust tooling

All Backed by Enterprise-Grade Infrastructure and Support

Modern cloud scale architecture
Built-in high availability and disaster recovery
ISO 27k and SOC 2 Type 2 compliant
Integrate seamlessly with existing internal systems
Open source tech and no vendor lockin
24x7 support and SLAs
Additional Resources
Learn More About Azure Key Vault Signer

Ready to Get Started with Azure Key Vault Signer?

No Credit Card Required
ISO27K & SOC2 Type 2 Compliant
Free Training & Support