Feature: Add KMS signer backend #3163
Description
Summary
Add a cloud KMS implementation of the Signer interface (pkg/signer/signer.go) so operators can manage signing keys in AWS KMS, GCP Cloud KMS, etc. instead of keeping encrypted key files on disk.
Context
The signer package already has a clean interface:
type Signer interface {
Sign(message []byte) ([]byte, error)
GetPublic() (crypto.PubKey, error)
GetAddress() ([]byte, error)
}Today there are two implementations: file (AES-encrypted Ed25519 key on disk) and noop (in-memory, for testing). The config supports signer_type (file, grpc), which can be extended to awskms, gcpkms, etc.
For production deployments, keeping private keys on disk—even encrypted—is a significant operational risk. A KMS backend would let the key material live in a hardware-backed cloud service, with signing happening remotely via API.
Rough approach
- Add a new package, e.g.
pkg/signer/kms/, implementingsigner.Signer. - The KMS signer calls the cloud provider's signing API in
Sign()and caches the public key from the KMS key metadata forGetPublic()/GetAddress(). - Wire the new type into
SignerConfigand the node startup path. - Start with one provider (AWS KMS is a natural first choice), add GCP/Azure later.
Things to figure out
- Ed25519 support varies by provider — AWS KMS added it relatively recently. Need to verify compatibility with libp2p's
crypto.PubKey. - Auth configuration (region, credentials, key ARN/ID) — likely new config fields under
signer.*. - Whether to vendor a cloud SDK or use a lighter-weight approach.