Key Management (KMS)
Lux KMS
Enterprise key management — secrets, certificates, cryptographic keys, SSH keys, AI access control, and MPC integration.
Lux KMS
Lux KMS is the enterprise key management service for the Lux Financial platform. It manages secrets, certificates, cryptographic keys, SSH keys, and provides AI access control and MPC signer integration.
Architecture
┌──────────────────────────────────────────────────────┐
│ Lux KMS │
│ ┌──────────┬──────────┬───────────┬──────────────┐ │
│ │ Secrets │ Certs │ Keys │ AI Access │ │
│ │ Manager │ Manager │ Manager │ Control │ │
│ └────┬─────┴────┬─────┴─────┬─────┴──────┬───────┘ │
│ │ │ │ │ │
│ ┌────▼──────────▼───────────▼────────────▼───────┐ │
│ │ Encrypted Storage │ │
│ └─────────────────────┬──────────────────────────┘ │
│ │ │
│ ┌─────────────────────▼──────────────────────────┐ │
│ │ HSM / MPC Signer Integration │ │
│ └────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────┘Features
Secret Types
| Type | Description | Use Cases |
|---|---|---|
| Secrets | Encrypted key-value pairs | API keys, database passwords, tokens |
| Certificates | X.509 certificate management | TLS, mTLS, code signing |
| Cryptographic Keys | Symmetric and asymmetric keys | Signing, encryption, key wrapping |
| SSH Keys | SSH key pair management | Server access, Git authentication |
| AI Access Control | AI model and API key management | LLM API keys, model access tokens |
Environment Scoping
Secrets are scoped to environments:
Production → sk_live_xxx, DATABASE_URL (prod)
Staging → sk_test_xxx, DATABASE_URL (staging)
Development → sk_dev_xxx, DATABASE_URL (local)Quick Start
SDK Integration
import { LuxKMS } from '@luxfi/kms';
const kms = new LuxKMS({
apiKey: process.env.KMS_API_KEY,
environment: 'production',
});Secrets Management
// Create a secret
await kms.secrets.create({
name: 'stripe-api-key',
value: 'sk_live_xxx',
environment: 'production',
tags: ['payments', 'stripe'],
});
// Retrieve a secret
const secret = await kms.secrets.get('stripe-api-key');
console.log(secret.value); // 'sk_live_xxx'
// List secrets
const secrets = await kms.secrets.list({
environment: 'production',
tags: ['payments'],
});
// Rotate a secret
await kms.secrets.rotate('stripe-api-key', {
newValue: 'sk_live_yyy',
notifyWebhook: 'https://api.yourbank.com/webhooks/secret-rotation',
});Certificate Management
// Generate a certificate
const cert = await kms.certificates.create({
commonName: 'api.yourbank.com',
sans: ['api.yourbank.com', '*.yourbank.com'],
validity: '365d',
keyType: 'ECDSA_P256',
});
// Auto-renewal
await kms.certificates.enableAutoRenewal({
certId: cert.id,
renewBefore: '30d',
});Cryptographic Keys
// Generate signing key
const key = await kms.keys.create({
type: 'ECDSA_SECP256K1',
usage: ['sign', 'verify'],
rotation: '90d',
});
// Sign data
const signature = await kms.keys.sign({
keyId: key.id,
message: transactionHash,
algorithm: 'ECDSA_SHA256',
});
// Verify signature
const valid = await kms.keys.verify({
keyId: key.id,
message: transactionHash,
signature: signature,
});HSM Integration
Supported HSMs
| HSM | Provider |
|---|---|
| AWS CloudHSM | Amazon Web Services |
| Azure Dedicated HSM | Microsoft Azure |
| Thales Luna | Thales Group |
| YubiHSM | Yubico |
const kms = new LuxKMS({
hsmProvider: 'aws-cloudhsm',
clusterArn: process.env.HSM_CLUSTER_ARN,
});MPC Signer Integration
Lux KMS integrates with Lux MPC for threshold signing operations:
// Generate distributed key via MPC
const wallet = await kms.mpc.generateWallet({
chain: 'polygon',
currency: 'USDC',
threshold: 2,
parties: 3,
});
// Sign with threshold parties
const signature = await kms.mpc.sign({
walletId: wallet.id,
transaction: {
to: recipientAddress,
value: amount,
data: transferData,
},
});Supported Protocols
| Protocol | Curve | Use Case |
|---|---|---|
| CGGMP21 | secp256k1 | Ethereum, Bitcoin, EVM chains |
| FROST | secp256k1 | Bitcoin Taproot |
| LSS | secp256k1 | Dynamic resharing |
AI Access Control
Manage API keys and access tokens for AI models:
// Create AI access token
const token = await kms.ai.createToken({
model: 'claude-sonnet-4-20250514',
scopes: ['chat', 'embeddings'],
rateLimit: { requests: 1000, period: '1h' },
budget: { maxSpend: '100.00', currency: 'USD', period: '1d' },
});
// Track usage
const usage = await kms.ai.getUsage(token.id);
// { requests: 450, tokens: 125000, cost: "12.50" }Key Rotation
Automatic Rotation
await kms.keys.configureRotation({
keyId: key.id,
interval: '90d',
strategy: 'create-new', // or 'reencrypt'
notifyWebhook: 'https://api.yourbank.com/webhooks/key-rotation',
});Manual Rotation
const newKey = await kms.keys.rotate(key.id);
// Old key remains active for verification until expiryAudit Logging
All key operations are logged:
const logs = await kms.audit.list({
keyId: key.id,
actions: ['create', 'sign', 'rotate', 'access'],
from: '2025-01-01',
to: '2025-11-30',
});Access Control
Policies
await kms.policies.create({
name: 'treasury-signing',
rules: [
{
action: 'sign',
resource: 'key:treasury-*',
conditions: {
requireMFA: true,
maxAmount: 1000000,
allowedIPs: ['10.0.0.0/8'],
},
},
],
});