Google Cloud KMS

Google Cloud KMS is a managed key-management service. Every LearnCoin tenant's secp256k1 signing key is provisioned inside GCP KMS with protectionLevel: HSM, meaning the private key material lives inside a FIPS-140-2 Level 3 Hardware Security Module and never leaves it.

The LearnCoin signing worker calls asymmetricSign with a 32-byte SHA-256 digest of a canonicalized credential; KMS returns a DER-encoded ECDSA signature. Application code never holds the private key. Key compromise requires compromising the HSM itself, which is the specific threat model FIPS-140-2 Level 3 addresses.

Per-tenant keys mean a compromise of one tenant's key doesn't cascade. KMS also handles access control (who can invoke asymmetricSign), audit logging (every signing call is logged to Cloud Audit Logs), and key rotation (we can issue a new verificationMethod fragment and move future signing to it without invalidating old credentials).