SpaceComputer Secure Key Management Services Beyond the Cloud

Key management services (KMSs) are foundational to modern cryptographic infrastructure. KMSs provide secure ways to create, store, manage, and handle access to cryptographic keys for encrypting and decrypting data. As the sensitivity and scope of key material continues to grow across Web3 and beyond, so does the need for key infrastructure that offers verifiability by design, and security guarantees beyond the walls of a data center.

We are building SpaceComputer’s key management services to meet this need. We’re offering custodial KMS grounded in hardware-attested trusted execution, designed with a clear architectural path from centralized to distributed threshold cryptography, and ultimately space-native key infrastructure.

Technical Foundation

In the early phase, SpaceComputer KMS executes all ‘key’ operations inside Intel TDX Trusted Execution Environments (TEEs) or a hardware secure module (HSM). In general, key material is generated, stored, and processed within hardware-attested and isolated computers. In case of TEEs, remote attestation enables any integrating parties to independently verify the integrity of the environment handling their keys, establishing trust via cryptographic proofs instead of contractual agreements. Our unique architecture can operate not only in on-Earth environments, but can also be migrated to a space-based KMS. This guides our design choices and requires us to build our unique approach. 

The service exposes an API fully compatible with established KMS solutions, with incoming GCP compatibility planned alongside our participation in the Google for Startups Cloud Program. 

Organizations currently relying on, e.g., AWS KMS, can migrate to SpaceComputer with minimal integration efforts. Our goal is to make the transition as close to a drop-in replacement as possible, removing friction for teams evaluating stronger trust guarantees for their key material.

Initial supported cryptographic primitives will include broad support for elliptic curve schemes, commonly used in industry. A full specification table covering supported signing and encryption schemes will be published alongside our developer documentation.

Architectural Roadmap

SpaceComputer KMS is designed for progressive decentralization: each phase of the roadmap builds stronger trust guarantees through a stable API for integration.

Currently, SpaceComputer operates KMS as an Earth-based service, secured by an Intel TDX TEE and works with integration partners through a secure API. Partners interface with our infrastructure without managing the underlying key operations. All cryptographic processing occurs on SpaceComputer's infrastructure, with hardware attestation providing verifiability from the outset. A similar KMS solution will be enabled by our first satellite, which will be launched later this year. Stay tuned for more! 

In the next phase, we will distribute KMS operations across multiple selected parties using Threshold Cryptography. Each party will run a partial signer inside their own TEE. Under this model, no single participant, including SpaceComputer, holds sufficient key material to sign or decrypt unilaterally. SpaceComputer orchestrates the protocol while cryptographic control is shared across all signers. TEE attestation at every node ensures that verifiability is preserved throughout the distributed signing process.

Space-Native Infrastructure. Looking further ahead, SpaceComputer is laying the groundwork for hybrid earth/space key storage, progressing toward a fully space-native KMS. With a satellite launch destined for later this year, we are preparing key infrastructure that extends beyond terrestrial boundaries. Initial orbital deployment will operate as a hardened proof-of-concept, with production readiness contingent on extended testing and validation in orbit.

DataHaven, The First Integration Partner

DataHaven is the first platform integrating SpaceComputer KMS into its stack. DataHaven users who store encrypted data on the platform will be able to select SpaceComputer KMS as their key storage provider alongside existing options.

All KMS operations are executed on SpaceComputer's side, with DataHaven interfacing exclusively through the API. This separation ensures that storage and key security remain architecturally distinct.

Testing is underway, with initial integration workflows expected in the coming weeks.

Looking Ahead for KMS

We are finalizing integration partnerships with a few more   infrastructure providers who will participate as distributed signers in the threshold cryptography phase. These partnerships will mark an important step in removing single-operator trust assumptions from the KMS architecture.

Developer documentation and a complete API reference are in progress and will be released in March 2025, ahead of broader integration availability.

For teams requiring verifiable, sovereign key management, or for organizations interested in integration, we welcome you to reach out at services@spacecomputer.io. 

SpaceComputer KMS is one component of a broader vision: a cryptographic infrastructure that is verifiable and built to operate beyond the constraints of terrestrial trust models. Stay tuned, more is coming soon.

Read the Blue Paper
Join the Community
Follow us on Twitter (X)