Signing Transactions with Amazon KMS

Hi Friends!

We would like to use private key for wallet in Amazon KMS. This tool generates key inside and then we can send data to it to be signed, for example serialized transaction.

KMS seem to support key type ECC_SECG_P256K1 with signing ECDSA_SHA_256

SUI allows seemingly corresponding secp256k1 key type.

However it is said that since recent changes transactions are hashed with blake2b before signing.

Meanwhile KMS seemingly uses sha256 for the same purpose. Hence signature is wrong.

Is there a way to change hashing method?


I’ve heard of at least one team leveraging AWS Nitro Enclaves. Perhaps thats the route? I’m not savvy enough to know.

1 Like

Thank you for interesting note, honestly never heard of “Nitro Enclaves” yet :slight_smile: Just had read a bit around - seems like also useful thing we should not overlook when minting custom cryptocurrency - though seemingly anyway it itself wants to be integrated with KMS to store keys there, so original question is yet to be investigated further… I’m on it, shall update if anything becomes clear :slight_smile:

1 Like