# Decentralized KMS

A decentralized key management system (DKMS) leverages cryptographic primitives and distributed ledger technology (DLT) to establish a trustless environment for managing cryptographic keys. Unlike centralized systems with a single point of control (below Image from Google Cloud), DKMS employs a distributed network of nodes to perform key/randomness generation, protection, storage, exchange, replacement, and use through decentralized cryptographic mechanisms. This paradigm offers enhanced security by eliminating a central point of vulnerability. It ensures resilience through Byzantine Fault Tolerance (BFT) protocols, allowing the system to function even in the presence of malicious actors. Furthermore, DKMS fosters transparency through immutable audit trails recorded on the DLT, providing users with a verifiable and tamper-proof record of all key management operations.

![](/files/cFNK4u4o6eUMaPLFJxh7)

In Ternoa DKMS there is no root master key (Figure 2), whereas each TEE hardware is the key because nobody has access to it. Whenever data is encrypted by a data encryption key (DEK), it gets encrypted with the Key encryption key (KEK). The master key normally is used to encrypt a set of KEKs. In Ternoa for more security and forward secrecy, every key is temporary and partially accessible. To have a better vision, Ternoa KMS works like a very secure hardware wallet, but instead of putting it in a safe box, it is partitioned into smaller hardware wallets every one of which contains part of the data, moreover, these partial hardware wallets are replicable, if one of them lost we can still recover from other replicas. Additionally, key rotation happens in all of them regularly, which means even if this partial data is stolen, it will be useless after a short time, and if it is disconnected/isolated/outdated for a long time, it will be slashed off the system.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ternoa.network/learn/ternoa-fortress/decentralized-kms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.