Seal & Unseal

Seal/unseal protects the master key that encrypts validator private keys in the DynamoDB key source. The master key is never stored in plaintext. It is reconstructed in memory from KMS-protected Shamir shares, then zeroized again when the signer is sealed or stopped.

This system only applies to the DynamoDB key source. Filesystem keystores load at startup and do not use the chamber master key.

For commands, use the Seal & Unseal Operations Guide. For request bodies and response schemas, use the API Reference.

Modes

Mode	Restart behavior	Security tradeoff
KMS-only	The signer reconstructs the master key automatically from KMS shares.	Best operational simplicity. AWS IAM and KMS policy are the primary boundary.
Operator quorum	KMS decrypts an outer layer, then operators submit passphrases to reconstruct the unseal key.	Adds human approval. A KMS or IAM compromise alone is not enough to unseal.
Nitro Enclave auto-unseal	A previously unsealed enclave can create an attested auto-unseal blob for later restarts.	Enables unattended restarts while binding release of key material to enclave measurements.

Use KMS-only when availability and automated restarts matter most. Use operator quorum when you want human-in-the-loop custody. Use Nitro Enclave mode when you want decrypted keys isolated from the parent EC2 instance and KMS release bound to attestation.

State Machine

Signing is available only in unsealed and awaiting_rotation. All other states return 503 for signing requests.

KMS-Only Mode

In KMS-only mode, the chamber:

Generates a random 256-bit master key during initialization.
Splits it into Shamir shares.
Encrypts each share with a configured AWS KMS key.
Stores the encrypted shares in the state backend.
Reconstructs the master key automatically on restart when enough KMS keys are reachable.

This mode is appropriate when your AWS account controls are the main security boundary and the signer must recover without human action.

Operator Quorum Mode

Operator quorum adds a second layer. KMS decrypts the stored material first, but signing remains unavailable until enough operators submit passphrases.

Each operator passphrase encrypts that operator’s unseal share. Operators can register multiple credentials for the same share, such as a password and a YubiKey challenge-response credential. During unseal, no credential ID is required; the chamber tries the operator’s registered credentials and accepts the first one that decrypts the share.

Nitro Enclave Auto-Unseal

In Nitro Enclave mode, the chamber can store an auto-unseal blob after a successful unseal. On restart, the enclave attempts to use that blob before falling back to the normal operator ceremony.

The security boundary is AWS KMS attestation enforcement. KMS policies must require kms:RecipientAttestation so key material is released only to an enclave with the expected measurements. PCR binding detects drift, but the KMS policy is what prevents a compromised parent instance from decrypting the key material directly.

See Nitro Enclave Overview and KMS Policy for the enclave-specific details.

Rotation

While unsealed, operators can rotate:

KMS keys and threshold.
Operator set and quorum threshold.
Mode, between KMS-only and operator quorum.

Signing continues during rotation. The signer enters awaiting_rotation, accepts signing requests, and returns to unsealed when the new configuration is committed.

Security Properties

Property	Mechanism
Master key at rest	Never stored plaintext; KMS-wrapped Shamir shares
Master key in memory	Held only while unsealed and zeroized on seal/drop
Operator passphrases	Never stored; used to derive encryption keys for shares
Token comparison	Timing-safe comparison
Wrong share detection	HMAC verification after reconstruction
Emergency stop	`operator seal` zeroizes the master key and blocks new signing

For day-to-day commands, see the operations guide.