Introduction
Applications running inside Oyster CVM are evolving with increased developer engagement. As they evolve, several requirements have emerged. One of these is the use of cryptographic keys within the Oyster CVM. These keys can be used for encrypted secret sharing, blockchain wallets, and message signing.
It is already known that Oyster CVM generates a randomized private key upon bootup. This key is unique to each instance of the Oyster CVM and exists only for as long as the Oyster CVM is running.
Some applications require the secret key to persist even after the Oyster CVM is terminated. For example, a blockchain wallet should remain usable across Oyster CVM restarts. Oyster KMS aims to address this issue.
Features
- Applications running in Oyster CVM can retrieve secrets from the KMS service
- External users can obtain public keys from the KMS service for encryption purposes
- Secrets remain accessible even after an Oyster CVM restart
- The same secret can be shared across multiple CVM instances running the same application
- Secrets persist after application upgrades which are managed by smart contracts
Security Guarantees
- Secrets are accessible only to authorized applications running in Oyster CVMs
- Secrets are protected from third parties, eavesdroppers, CVM hosts, and other CVM applications
References