validator_operator/validator_security

[giscus[bot]]

validator_operator/validator_security

https://docs.dev.sync.global/validator_operator/validator_security.html

[simonletort-da]

Capturing here the good comments from @galaxy-mario regarding "KMS usage is not currently supported for Docker Compose-based deployments."

"Do you know a way around storing the private keys in the Postgres database when deploying via Docker Compose? I know the docs mention "KMS usage is not currently supported for Docker Compose-based deployments," but is there maybe a workaround?"

You can still use KMS with docker.
You can attach a role to the ec2 instance that has the necessary KMS permissions.
You need to run the participant container in host network mode so the AWS SDK can see and use the attached role.
And then include the necessary config env var:

services:
  participant:
    environment:
      - |
        ADDITIONAL_CONFIG_SPLICE_PARTICIPANT_CRYPTO_PROVIDER_KMS=
            canton.participants.participant.crypto {
              provider = kms
              kms = {
                type = aws
                region = ${AWS_REGION}
              }
            }

In theory you can also just generate AWS credentials and pass them as env vars and the AWS SDK will use them, but that's a lot less secure

Running the container in host network mode has it's pros/cons, so definitely balance that agains't using postgres