The Azure Key Vault provides hardware security modules (HSM) that are maintained in the Azure Cloud. This allows client total control of their cryptographic materials in hardware and firmware without being exposed to any operators including Microsoft. Using an HSM based keys management provides the highest level of security.
Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions. The Kaleido service communicates with Azure Key Vault via HTTP over TLS to discover the list of signing accounts and sending it payload to sign. During the entire process the signing keys stay safe inside the customer's Azure Key Vault instance and are never shared with Kaleido.
Creation of Kaleido CloudHSM service in Kaleido is a two step process. First, you specify the type and access details to Azure Key Vault as a configuration under the environment. This can be referenced by one or more CloudHSM service instances created in the same membership. Next you create the CloudHSM service using the configuration created belo.
The configuration for Azure Key Vault has the following mandatory parameters:
The following is a sample POST request to create an Azure key vault cloudhsm configuration:
Using the configuration created above, cloud HSM service can be created using the request fields:
FieldUsagenameUser-defined name for the servicemembership_idID of membership under which this service is availableserviceType of service. Must be cloudhsmdetails-- cloudhsm_idID of the configuration created in the previous step
The following is a sample POST request to create a Cloud HSM service that uses an Azure Key Vault backend provider:
Transactions can be sent to the Kaleido CloudHSM service by specifying a from address that corresponds to a SECP256K1 type key that is present in the Azure Key Vault. Any of RPC, WSS or the API Gateway interfaces can be used to send transactions. The URLs for the interfaces can be obtained by querying the service's /status route
A sample GET request to obtain the service status is as below:
When a eth_sendTransaction request is received by the Kaleido CloudHSM service, it uses the from address to determine whether the configured backend cloud HSM contains the keys for the address. The Kaleido CloudHSM service sends a /sign request with the KEY ID of the from address and the transaction payload to Azure Key Vault to sign. If the request succeeds, Key Vault returns the signature, from which the Ethereum signature parameters - R, S and V are extracted, as well as making sure the S value is compatible with Ethereum's malleability protection rule, and included in the transaction before sending it to the Ethereum blockchain node in the Kaleido environment that the service is bound to.