KMS Stack


The KMS (Key Management Service) stack is a critical component of the Builder Vault, focusing on the secure management of cryptographic keys and confidential data within AWS. Its deployment is crucial for controlling node configurations and securing secrets such as API keys, limited to the node’s admin user.


  • Manages and safeguards cryptographic keys.
  • Restricts node configuration control to node admin users.
  • Holds the envelope key for MPC nodes, crucial for runtime security.



To ensure the highest security level, deploy KMS stacks in separate AWS accounts from the node infrastructure, with a strong recommendation for each KMS stack to reside in its own account.


Before installing the KMS stack, ensure that you have done the following:

  • AWS Account ID: Confirm the AWS Account ID where the core nodes and additional nodes will be deployed.
  • Namespace: Choose a Namespace for the Builder Vault.
  • Node Index: Identify the node index that each KMS stack will secure.

High-Level Deployment Sequence

  1. Determine the AWS account for Node infrastructure deployment, as the AccountId will be a stack parameter for each KMS stack.
  2. Initiate KMS Stack deployment via the AWS CloudFormation console using this link.
  3. Configure the parameters:
    1. Set the BuilderVaultAWSAccount parameter to match the AWS Account ID designated for node infrastructure deployment.
    2. Adjust the NodeIndex to correspond with the node’s index (1 and 2 for core nodes, 3 or above for additional nodes).
    3. Note down the Namespace value, ensuring consistency with subsequent core node stack deployments.
  4. Submit the Cloudformation changeset.

High-level Deployment Diagram

Following CloudFormation changeset execution, the stack deploys with:

  1. An S3 bucket for configuration and audit logs.
  2. A KMS key paired with an AWS Nitro policy enables encryption and decryption.
  3. A signing key secret is used for configuration signing and verification.
  4. A Config Signing Lambda for automated configuration signing.
  5. An API Key secret for secure SDK requests.
  6. An Encryptor Master Password for node database encryption.
  7. A Custom Resource for initializing and populating secrets.