HashiCorp Vault is a software based general purpose secure storage for any sensitive information, such as keys, password or certificates. It has both opensource and commercial editions. The underlying architecture is extensible with plugins. Kaleido has taken advantage of the extensibility feature and provided a vault plugin that can be mounted as a secret engine and only supports using secret keys to sign transactions, without ever giving away the secret keys themselves.
The vault can be installed by the customers themselves either under their own cloud accounts, or on-premise. This allows customers to deploy key management that meets all but the most stringent security criteria.
HashiCorp Vault supports flexible management of policy-based access control and attaching policies to user credentials. Here we want to create a user for Kaleido to use as the transaction signer. It must have the ability to list signing accounts and sign transactions. It does not need the ability to create and delete keys, as the Kaleido service does not perform those functions.
The privilege to create and delete keys can be reserved to a separate administrator user under the customer control. The credentials with administrative privileges do not need to be shared with Kaleido.