Crypto key management
This page explains how to list, rotate, generate, deactivate, and delete keys of a Canton node. It also explains how to configure the cryptographic schemes supported by a node. There is a separate section on the management of namespace keys.List keys
Use the following command to enumerate the public keys that the nodemyNode stores in its vault:
myNode is running and has created keys during startup, which is the default behavior.
Similarly, a user can enumerate the private keys of myNode:
Rotate keys
Canton supports rotating the keys of a nodemyNode with a single command:
myNode. But the command does not rotate namespace keys. The node deactivates the old keys on all Synchronizers, but they remain in the vault of myNode.
The following command rotates a single key of myNode:
Key rotation should be interleaved with taking a backup.
Generate and activate keys
Canton creates keys with default parameters for all nodes. To have different key parameters, generate keys manually. To generate and activate a new signing key formyNode, run the following commands:
SigningKeyUsage. Keys are generated according to specific cryptographic key formats. Please refer to the following tables for more information on the expected key formats in Canton.
Deactivate keys
To deactivate a key on all Synchronizers run the following command:Delete keys
After rotating or deactivating a key it remains in the node’s vault. To permanently delete a key from the vault, use the following console command:Configure cryptographic schemes
Canton supports several cryptographic schemes. By default, a node allows for using all cryptographic schemes supported by Canton. To configure the default and allowed schemes for a node include a snippet like the following into the Canton configuration:Every Synchronizer imposes a minimum set of cryptographic schemes that its members must support. If a node does not support this minimum set of schemes, it is unable to connect to the Synchronizer.
Disable Session keys
An explanation of the purpose and security implications of session keys is available in Cryptographic keys in Canton. While session keys improve performance, they also introduce a security risk, as the keys are stored in memory—even if only for a short duration. If you prefer to disable session keys and accept the resulting performance degradation, you can do so by setting the following configurations. To disable session encryption keys:Restrict key usage
This page explains how to limit the usage of cryptographic keys of a Canton node to specific purposes, as best practice to contain damage of potentially compromised keys.Signing key usage
Canton defines the following key usages for signing keys:Namespace: a key that defines a node’s identity and signs topology requests (see namespace key management)SequencerAuthentication: a key that authenticates members of the network towards a sequencerProtocol: a key that signs various structures as part of the synchronization protocol execution
Restrict the usage of a signing key
Set theusage parameter with the desired usages when you generate a new key.
For example, use the following command to generate a signing key restricted to Protocol usage only:
NamespaceOnly, SequencerAuthenticationOnly, ProtocolOnly, All. Individual usages can otherwise be combined in a Set, but this is not recommended to avoid that keys are used for multiple purposes.
Once specified during key generation, the set of usages is fixed and cannot be modified during the lifetime of that key. Instead, a new key must be generated and activated, and the old one deactivated. See key management for more information regarding the key management commands.
usage parameter with the desired usages when you register the keys with Canton:
Determine the usage of an existing signing key
To find what usage a signing key has been assigned, use the following command:filterFingerprint parameter, all the existing keys will be returned.
Determine the existing keys with a given usage
To find all the signing keys that have been assigned a given usage, use the following command:filterUsage will be returned.
Namespace key delegation restrictions
As described in the identity management page, Canton uses topology transactions to manage identities, and these transactions are signed by keys withNamespace usage. Namespace key management shows that you can create intermediate keys to sign topology transactions, thereby limiting exposure of the root namespace key. These intermediate keys can be further restricted in terms of which kind of topology transactions they can sign using fine-grained delegation restrictions.
Canton defines the following restrictions for namespace keys:
Restrict the types of mappings that a key can sign
You must first create a new key with at leastNamespace usage, then delegate the signing privileges for a namespace to that key, specifying the desired restrictions in the delegationRestriction parameter.
For example, in the following, the first command creates an intermediate key for the root namespace, then the second one delegates the signing privileges to it, allowing it to sign all types of topology mappings except namespace delegations themselves:
propose_delegation command with the updated delegation restrictions.
Determine the restrictions of an existing namespace key
To find what signing restrictions have been defined on a namespace key, use the following command:filterTargetKey parameter, all the existing namespace delegations will be returned.
This document is a work in progress. The feature will be developed and released in the future, following the procedures described in the document.
Namespace Key Management
Online Root Namespace Key
By default, the Canton node creates a root namespace key during the initialization of the node. Operators can manually create an intermediate key on the node to authorize topology transactions. Only the intermediate key can be changed. Therefore, it is important to keep the root key secure. If a Canton node is configured to use a KMS system, then the root key can be administratively isolated, using the KMS Administration controls to remove node access to the root key. As the root key is only required when authorizing a new intermediate key or revoking an existing authorization, it is sufficient to just selectively allow the node to access the key only whenever such operations are performed. Only the root key can be isolated. All the other keys are essential for Canton to operate correctly. Optionally, the intermediate key can also be isolated but will have to be turned on and off as needed during administrative operations such as uploading DARs or adding parties.Offline Root Namespace Key
A more secure way to manage the root namespace key is to use an offline root namespace key. In this case, the root namespace key is stored in a secure, possibly air gapped location, inaccessible from the Canton node. Where the root key is stored depends on your organization’s security requirements. For the remainder of this guide, assume that there are two sites, the online site of the node with its intermediate key and the offline site of the root key. The offline root key is used to sign a delegation to the node’s intermediate key, which is then used to authorize topology transactions. The offline root key procedure is supported by a set of utility scripts, which can be found in the Cantonscripts directory (scripts/offline-root-key).
Channel for Key Exchange
There must be a channel or method which allows to exchange the public intermediate key and the signed intermediate namespace delegations between the online and offline sites. The channel must be trusted in terms of authenticity, but not confidentiality, as no secret information is exchanged. This means you need to ensure that the data is not tampered with during transport, but the data itself does not need to be encrypted. This can be done using multiple methods, depending on whether the sites are air-gapped or connected through a network. Possible examples are: secure file transfer, QR codes, physical storage medium. Assuming that such a trusted channel exists, the following steps are required to set up the offline root namespace key:1. Configure Node To Expect External Root Key
Before the first start-up, the Canton node must be configured not to initialize automatically. This is done by setting2. Export Public Key of Node
Assuming you have access to the remote console of the node, create a new signing key to use as the intermediate key:grpccurl against the Admin API to invoke the commands.
3. Share Public Key of Node with Offline Site
Next, the intermediate public key must be transported to the offline site as described above. Ensure that the public key is not tampered with during transport.4. Generate Root Key and The Root Certificate
Using OpenSSL
Ensure that the necessary scripts are available on the secure site. These scripts are included in the Canton release packages atscripts/offline-root-key. An example demonstrating usage of those scripts using openssl to generate keys and sign certificates is available at examples/10-offline-root-namespace-init. Run the next set of commands from the examples/10-offline-root-namespace-init directory.
Start by initializing variables used in the snippets below
x509 SPKI DER format. For more information on Canton’s supported key formats, please refer to the following tables. This generates two files, root-delegation.prep and root-delegation.hash. .prep files contain unsigned topology transactions serialized to bytes. If you really want to be sure what you are signing, inspect the prepare-certs.sh script to see how it generates the topology transaction and how it computes the hash. Next, the hash needs to be signed.
If you are using openssl, the following command can be used to sign the hash:
Using GCP KMS
If you are using GCP KMS, you can use KMS CLI (https://cloud.google.com/kms/docs/create-validate-signatures) with the following commands to generate the key:5. Create the Intermediate Certificate
If the root key and the self-signed root delegation are available, you can create the intermediate certificate. The steps are very similar to the root certificate, but the target is the public key of the intermediate key, and the--intermediate-delegation flag is used instead of --root-delegation.
7. Copy the Certificates to the Online Site
The generated certificates (never the root private key) need to be transferred to the online site. The public keys are included in the certificates and don’t need to be transported separately. You need to transfer both certificates, the root delegation and the intermediate delegation, to the online site.8. Import the Certificates to the Node
On the target site, import the certificates into the waiting node using the console commandgrpccurl to initialize the node.
Pre-Generated Certificates
The certificates can also be provided directly via the node’s configuration file if they’ve been generated beforehand. In this scenario, instead of generating the intermediate key via the node’sgenerate_signing_key command as described above, they key must be generated on a KMS and its public key material downloaded. The same scripts can then be used to generate the certificate, with the exception that the intermediate public key will not be in the Canton format but in a DER format and should therefore be set with --target-pub-key. Once the certificates are available, you must register the intermediate KMS key by running:
Delegation Restrictions
You can further restrict the kind of topology transactions a delegation can authorize. Theprepare-certs script exposes a --delegation-restrictions flag for that purpose.
Rotate the Intermediate Key
Create new Intermediate Key
In order to create another intermediate key, we follow the same steps as before. Create the key on the online site and export it. Follow the same steps to create a new intermediate delegation for the new intermediate key:- copy to secure site
- generate the intermediate delegation (skip self-signed root delegation as it has already been generated)
- copy the certificate to the node site
Revoking the Intermediate Key
To revoke the intermediate key, the root key needs to be used to sign a revocation transaction. The revocation transaction is prepared in the same way as the intermediate delegation. Also, the generated hash needs to be signed and then subsequently assembled into a certificate:Rotating the Root Namespace Key
You cannot rotate the root namespace key. If you need to discontinue the usage of the namespace, you need to create a new namespace, new parties and participants in that new namespace, and transfer the contracts to the new parties.Configure session keys
Canton uses session keys to reduce expensive cryptographic operations during protocol execution, improving performance. There are two types: session encryption keys, which reduce the number of asymmetric encryptions, and session signing keys, which help avoid frequent calls to external signers such as a KMS. You can read more about the rationale and security considerations in Cryptographic keys in Canton. Extending the lifetime of session keys minimizes the need for repeated key negotiation or remote signing—but it also increases the window during which keys are stored in memory, raising the risk of compromise.Increase session encryption keys lifetime
You can control how long a session encryption key remains active by adjusting theexpire-after-timeout values in your configuration. To globally increase the lifetime of session encryption keys, increase the expire-after-timeout for both the sender-cache and receiver-cache.
Increase session signing keys lifetime
When using external KMS (Key Management Service) provider you can control how long a session signing key remains active by adjusting thekey-validity-duration and the key-eviction-period. The key-eviction-period should always be longer than the key-validity-duration and at least as long as the sum of confirmation_response_timeout and mediator_reaction_timeout, as configured in the dynamic Synchronizer parameters.