Key Management

ChainLaunch manages cryptographic keys for all blockchain nodes — identity keys, TLS certificates, and CA keys. Keys are encrypted at rest and only decrypted in memory when needed.

Key Types

Key Type	Purpose	Created when
Node Identity	Node authentication, transaction signing, consensus	Node is created
TLS	Encrypted communication between nodes and clients	Node is created
CA (Certificate Authority)	Signs certificates for org members	Organization is created

Key Providers

ChainLaunch supports multiple key storage backends:

Provider	Edition	Storage	Security level
Database	Community	SQLite (AES-256 encrypted)	Good for dev/PoC
HashiCorp Vault	Pro	Vault transit engine	Production-grade
AWS KMS	Pro	AWS managed keys	Cloud-native, FIPS 140-2

View Keys

Via UI

1. Go to Keys in the left sidebar
2. Browse keys by organization or node
3. Click a key to see its details (public key, certificate, expiry)

Via API

# List all keys
curl http://localhost:8100/api/v1/keys | jq

# Get a specific key
curl http://localhost:8100/api/v1/keys/{keyId} | jq

Via CLI

# List keys
chainlaunch keys list

# Get key details
chainlaunch keys get --id {keyId}

Create Keys

Keys are created automatically when you create organizations and nodes. To create a key manually:

Via API

curl -X POST http://localhost:8100/api/v1/keys \
  -H "Content-Type: application/json" \
  -d '{
    "name": "custom-signing-key",
    "algorithm": "ECDSA",
    "curve": "P-256",
    "providerId": 1
  }'

Supported algorithms:

• ECDSA with curves P-256 or P-384
• Ed25519

Export a Certificate

# Export node's TLS certificate
curl http://localhost:8100/api/v1/keys/{keyId}/certificate > node-cert.pem

# Export CA certificate
curl http://localhost:8100/api/v1/keys/{keyId}/ca-certificate > ca-cert.pem

Key Rotation

Automatic Rotation (Pro)

With Vault or AWS KMS, you can enable automatic key rotation:

curl -X PUT http://localhost:8100/api/v1/keys/{keyId}/rotation \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": true,
    "intervalDays": 90
  }'

Manual Rotation

1. Generate a new key for the node
2. Update the node's configuration to use the new key
3. Restart the node
4. Revoke the old key after confirming the node is healthy

# Rotate a key
curl -X POST http://localhost:8100/api/v1/keys/{keyId}/rotate

Certificate Renewal

TLS and identity certificates have expiration dates. ChainLaunch tracks certificate expiry and can renew them:

# Check certificate expiry
curl http://localhost:8100/api/v1/keys/{keyId} | jq '.certificate.notAfter'

# Renew a certificate
curl -X POST http://localhost:8100/api/v1/keys/{keyId}/renew

warning

Certificate renewal requires restarting the affected node. Plan renewals during maintenance windows for production networks.

Configure Key Providers

Database Provider (Default)

No configuration needed — active by default. Keys are encrypted with AES-256 using PBKDF2 key derivation with unique salts per key.

The encryption key is derived from KEY_ENCRYPTION_KEY environment variable (auto-generated if not set).

HashiCorp Vault (Pro)

# Set Vault connection
export VAULT_ADDR=https://vault.yourcompany.com:8200
export VAULT_TOKEN=hvs.xxxxx

# Create a Vault key provider
curl -X POST http://localhost:8100/api/v1/key-providers \
  -H "Content-Type: application/json" \
  -d '{
    "name": "vault-production",
    "type": "VAULT",
    "config": {
      "address": "https://vault.yourcompany.com:8200",
      "token": "hvs.xxxxx",
      "transitPath": "transit",
      "kvPath": "secret/chainlaunch"
    }
  }'

Vault requirements:

• Transit secrets engine enabled
• KV v2 secrets engine enabled
• Policy with create, read, update on transit and KV paths

AWS KMS (Pro)

curl -X POST http://localhost:8100/api/v1/key-providers \
  -H "Content-Type: application/json" \
  -d '{
    "name": "aws-production",
    "type": "AWS_KMS",
    "config": {
      "region": "us-east-1",
      "accessKeyId": "AKIA...",
      "secretAccessKey": "...",
      "kmsKeyId": "arn:aws:kms:us-east-1:123456:key/xxx"
    }
  }'

Authentication modes:

• Static credentials — access key + secret key
• Instance role / IRSA — for EC2 or EKS deployments
• Named profile — for SSO/assumed role setups
• STS role assumption — cross-account access

Security Best Practices

1. Use Vault or KMS in production — the database provider is fine for dev but enterprise deployments should use a dedicated key management system
2. Rotate keys regularly — at least every 90 days for compliance
3. Back up the encryption key — if you lose KEY_ENCRYPTION_KEY, you cannot decrypt database-stored keys
4. Restrict API access — use RBAC to limit who can view or export keys
5. Monitor key operations — enable audit logging to track all key access

Next Steps

• Security Best Practices for comprehensive security guidance
• RBAC & Permissions to restrict key access
• Backups to back up key material
• Terraform Provider to manage key providers as code