Private Key Storage in Canton

I understand that Canton uses private keys for its identity management service.

From the documentation on the implementation of the Identity Management Service, it appears there are a number of Identity Stores - but these are identity related and timestamped transactional stores.
But it’s unclear to me where and who stores a party’s private key.

Is a party’s key storage and management a component of a participant node? Is it external?

Separately, does Canton’s identity management service interact with Daml’s Ledger API auth functionality? If so, how?

Hi @corey.todaro ,

Within canton it’s the participant that will have a private key not the party. This key will be used for all parties the participant hosts. In our default setup these keys will just be stored in the database. We will potentially support storing keys elsewhere in the future (likely HSMs).

These keys are not used within the leger-api authentication. You can find some details on how that is configured within canton for participants and certificate usage here: Static Conf - JWT Authorization.

David.

To update, Canton now supports use of HSM, see Security — Daml SDK 2.6.0 documentation.