Enclave-isolated keys, multi-tenant, post-quantum-aware.
Signet KMS is the portfolio-wide, post-quantum-aware key-management service: a multi-tenant KMS whose most sensitive operations run inside a confidential-computing enclave, so plaintext key material never leaves a hardware-isolated boundary. Every caller is bound to its own tenant by mutual TLS, sensitive operations can require M-of-N quorum approval, keys can be federated across organisations, and every operation emits a signed, four-layer attestation bundle.
A TEE worker models the Nitro Enclave boundary, key unwrap, re-seal and HMAC happen inside; plaintext key material never crosses the enclave.
Key-encryption keys, data-encryption keys and signing keys, sharded per tenant for hard isolation.
Mutual-TLS with a certificate SAN-URI bound to the tenant, so a caller can only ever reach its own keys.
M-of-N quorum approval for sensitive operations, plus cross-organisation key federation.
Every operation emits a four-layer signed bundle, identity, policy, decision, commitment, for independent audit.
Deploys to AWS Nitro, Azure Confidential and GCP Confidential VMs, or an on-prem PKCS#11 HSM.