> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/security/key-management.md). # Key management Andromeda never stores the private material for the keys it uses to sign things on its own behalf. Those keys live in a key management service (KMS) with sign-only policies; Andromeda calls the KMS's sign operation and never reads the key. ## The keys There are two of them, kept separate: * **Audit-log signing key (ed25519).** Signs each entry in a tenant's [audit log](/hub/andromeda/guides/audit-log.md) hash chain. The corresponding public key is published so anyone can verify the log without trusting Andromeda. * **FHE-decision authority key (ed25519).** Signs the confidential decisions that the on-chain [`fhe-gated`](/hub/andromeda/guides/deploy-policy/fhe-gated.md) policy validates. The policy holds an allowlist of accepted decision keys on-chain; a decision signed by anything else is rejected. Each key has its own sign-only policy in the KMS and its own access credential, so the audit path and the FHE path are isolated from each other. ## What Andromeda holds outside the KMS * The **gas-sponsor keypair**, used to pay Solana fees and act as fee payer on transactions Andromeda assembles for the flows it controls. It is never an authority over a dWallet and never the "user" from an on-chain program's point of view. See [Custody-free design](/hub/andromeda/security/custody-free.md). * **API keys**, stored only as SHA-256 hashes; the raw key is shown once at creation. ## What Andromeda never holds * A complete dWallet private key (Ika 2PC-MPC splits it). * The private material of the two KMS-held keys above. * Any private key for the Encrypt surface (those transactions are signed client-side). ## Why the design * A compromise of the API does not yield the audit-signing key, so a tampered log is still detectable. * A compromise of the API does not yield the FHE-decision key, so a forged decision still fails the on-chain check. * The gas-sponsor key, even if it leaked, cannot move user funds or override a policy; it can only pay fees. The KMS configuration itself (policies, credentials, rotation) is an operational concern and is not part of this documentation. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/security/key-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.