Hyperledger Web3j:HSM support for AWS KMS 2025 Update: Off to a Fast Start! Read on → Search Join About About Explore membership Members Technical Advisory Council Governing Board Speakers Bureau Staff FAQ Store Contact us Technologies Ledger technologies Interoperability Integration & implementation Decentralized identity Cryptographic tools & protocols Project matrix Labs All projects Deploy Certified service providers Vendor directory Training partners Participate Why get involved? How to contribute Contribute to code Host your project with us Regional chapters Special interest groups Job board Resources Linux Foundation ID Logos & guidelines Trademarks & guidelines Charter Code of conduct Github repos Discord Wiki Mailing lists Report a security bug Learn Case studies Training & certifications Use case tracker Member webinars Insights News Blog Announcements Newsletters Events Events Meetups Meeting calendar Join Follow Us Web3j Hyperledger Web3j:HSM support for AWS KMS George Tebrean, Hyperledger Webj3 maintainer and Blockchain Developer at Web3 Labs | Nov 5, 2024 In the world of digital security, protecting sensitive data with robust encryption is essential. AWS Key Management Service (KMS) plays a crucial role in this space. It serves as a highly secure, fully managed service for creating and controlling cryptographic keys. What many may not realize is that AWS KMS itself operates as a Hardware Security Module (HSM), offering the same level of security you'd expect from dedicated hardware solutions. An HSM is a physical device designed to securely generate, store, and manage encryption keys, and AWS KMS delivers this functionality in a cloud-native way. Beyond key management, AWS KMS with HSM support can also be used to sign cryptographic transactions. This provides a trusted, hardware-backed way to secure blockchain interactions, digital signatures, and more. This article will cover how AWS KMS functions as an HSM, the benefits of using it to sign crypto transactions, and how it fits into a broader security strategy. In Hyperledger Web3j, support for HSM was introduced two years ago, providing users with a secure method for managing cryptographic keys. For more details, you can refer to the official documentation here. However, despite this integration, many users have encountered challenges in adopting and implementing HSM interfaces, particularly when using the AWS KMS module. To address these difficulties, a ready-to-use implementation has been added specifically for AWS KMS HSM support. This simplifies the integration process, making it easier for users to leverage AWS KMS for secure transaction signing without the complexity of manual configurations. The class, HSMAwsKMSRequestProcessor, is an implementation of the HSMRequestProcessor interface, which is responsible for facilitating interaction with an HSM. This newly implemented class contains all the essential code required to communicate with AWS KMS, enabling the retrieval of data signed with the correct cryptographic signature. It simplifies the process of using AWS KMS as an HSM by handling the intricacies of signature generation and ensuring secure transaction signing without additional development overhead. Here is a snippet with the most important actions of the callHSM method: NOTE! In order to use this properly, the type of key spec created in AWS KMS must be ECC_SECG_P256K1. This is specific to the crypto space, especially to EVM. Using any other key will result in a mismatch error when the data signature is created. Example Here is a short example of how to call the callHSM method from the library: Conclusion AWS KMS, with its built-in HSM functionality, offers a powerful solution for securely managing and signing cryptographic transactions. Despite initial challenges faced by users in integrating AWS KMS with Hyperledger Web3j, the introduction of the HSMAwsKMSRequestProcessor class has made it easier to adopt and implement. This ready-to-use solution simplifies interactions with AWS KMS, allowing users to securely sign data and transactions with minimal configuration. By leveraging this tool, organizations can enhance their security posture while benefiting from the convenience of AWS’s cloud-native HSM capabilities. View previous blog post Back to all blog posts View next blog post The latest community news in your inbox Select the checkboxes below for the monthly decentralized digest and dev/weekly newsletters About LF Decentralized Trust The Linux Foundation's flagship organization for the development and deployment of decentralized systems and technologies. About Members TAC Governing board Speakers bureau Staff FAQ Contact us Technologies Ledger technologies Interoperability Integration & implementation Decentralized identity Cryptographic tools & protocols Project matrix Labs Participate Why get involved? How to contribute Contribute to code Host your project with us Regional chapters Special interest groups Job board Deploy Certified service providers Vendor directory Training partners Resources Linux Foundation ID Logos & guidelines Trademarks & guidelines Charter Code of conduct Github repos Discord Wiki Mailing lists Report a security bug Learn Case studies Training & certifications Use case tracker Member webinars Insights Events Events Meetups Meeting calendar News Blog Announcements Newsletters Meeting Calendar Copyright © 2025 The Linux Foundation®. All rights reserved. LF Decentralized Trust is a trademark of The Linux Foundation. For a list of LF Decentralized Trust's trademarks, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.