Azure Key Vault Signer

Key Management Backed by Azure Key Vault

Kaleido makes it easy to utilize Azure Key Vault to manage keys and sign and submission transactions.
What it is

What It Is

The Azure Key Vault provides hardware security modules (HSM) that are maintained in the Azure Cloud. This allows client total control of their cryptographic materials in hardware and firmware without being exposed to any operators including Microsoft. Using an HSM based keys management provides the highest level of security.

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions. The Kaleido service communicates with Azure Key Vault via HTTP over TLS to discover the list of signing accounts and sending it payload to sign. During the entire process the signing keys stay safe inside the customer's Azure Key Vault instance and are never shared with Kaleido.

Create and Configure a Kaleido CloudHSM Signer Service

Azure KeyVault Signer has the ability to interact with the Key Vault in Azure to sign and send transactions to an Ethereum node in the Kaleido environment.

Sign Transactions Using Azure Key Vault

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions.

Total Control

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions.

How it works

How it Works

Create a Kaleido Cloud HSM Service

Creation of Kaleido CloudHSM service in Kaleido is a two step process. First, you specify the type and access details to Azure Key Vault as a configuration under the environment. This can be referenced by one or more cloud HSM service instances created in the same membership. Next you create the CloudHSM service using the configuration created belo.

Create CloudHSM configuration for Azure Key Vault

The configuration for Azure Key Vault has the following mandatory parameters:

The following is a sample POST request to create an Azure key vault cloudhsm configuration:

Create Cloud HSM service

Using the configuration created above, cloud HSM service can be created using the request fields:

FieldUsagenameUser-defined name for the servicemembership_idID of membership under which this service is availableserviceType of service. Must be cloudhsmdetails-- cloudhsm_idID of the configuration created in the previous step

The following is a sample POST request to create a Cloud HSM service that uses an Azure Key Vault backend provider:

 "name": "cloudhsm-azure",
 "membership_id": "",
 "service": "cloudhsm",
 "details": {
   "cloudhsm_id": ""

Transaction Signing with Azure Key Vault

Transactions can be sent to the Kaleido CloudHSM service by specifying a from address that corresponds to a SECP256K1 type key that is present in the Azure Key Vault. Any of RPC, WSS or the API Gateway interfaces can be used to send transactions. The URLs for the interfaces can be obtained by querying the service's /status route

A sample GET request to obtain the service status is as below:

When a eth_sendTransaction request is received by the Kaleido CloudHSM service, it uses the from address to determine whether the configured backend cloud HSM contains the keys for the address. The Kaleido CloudHSM service sends a /sign request with the KEY ID of the from address and the transaction payload to Azure Key Vault to sign. If the request succeeds, Key Vault returns the signature, from which the Ethereum signature parameters - R, S and V are extracted, as well as making sure the S value is compatible with Ethereum's malleability protection rule, and included in the transaction before sending it to the Ethereum blockchain node in the Kaleido environment that the service is bound to.

Why Kaleido

Why Kaleido

Kaleido's platform is different because it has everything businesses need to create complete blockchain solutions. With just a few clicks, you can create a blockchain network, deploy it globally, set up governance, and include additional services.

Blazing Fast Deployment, Speed, and Scale

Deploy Production-Ready Blockchain Networks and Digital Assets in Minutes
Amazingly Low Cost Per Transaction
Multi-Party, Cross-Cloud, and Multi-Region Support
Built-In High Availability and Disaster Recovery
400+ APIs and 40+ Services to Accelerate Development

No Lock-in and Open Source Technologies

Support for Multiple Blockchain Protocols
Enterprise Integrations and Marketplace
Customizable Decentralization Options
Actively Leading New Standards and Technologies

Proven Enterprise Platform and Expertise

ISO and SOC2 Certified
SLAs and  24/7 Support
On-Chain and Off-Chain Services
Secure Key Management
Built-In Monitoring and Smart Contract Management
Additional Resources
Learn More About
Azure Key Vault Signer
Ready to Get Started With
Azure Key Vault Signer