Cloud KMS Signers

A Cloud KMS signer uses a signing key generated and stored inside a cloud key management service — AWS KMS, Azure Key Vault, or GCP Cloud HSM. The key is non-extractable by design: no employee at your company (or at the cloud provider) can ever retrieve the raw key material. Cloud KMS signers support advanced enterprise security controls natively, including IP allowlisting, cloud IAM-based access policies, rate limiting, circuit breakers, and detailed audit logs and alerting. For a conceptual overview, see Cloud KMS in the Wallet Signers guide. To learn how to register additional operational signers on an existing wallet, see Registering a signer.

Google Cloud KMS
AWS KMS

How It Works

You create a signing key inside Google Cloud KMS — the private key never leaves Google’s hardware.
A Cloud Run function sits in front of KMS and signs transaction digests on demand.
The Crossmint SDK calls your Cloud Run function whenever the wallet needs to sign something.
The signature is converted from Google’s format to Ethereum’s format, and the Crossmint SDK uses it to complete the transaction.

That is it — your key stays in the HSM, and Crossmint never sees it.

What You Will Build

An asymmetric signing key in Google Cloud KMS (secp256k1)
A Cloud Run function that signs digests via KMS
A Crossmint server wallet using your KMS key as its signer

Prerequisites

A Google Cloud project with billing enabled
A Crossmint server API key
Node.js 18+

Set Up Google Cloud KMS

Enable the Cloud KMS API

Navigate to Cloud Key Management in the Google Cloud Marketplace and click Enable.

Create a Key Ring

Go to Security > Key Management in the Google Cloud Console and click Create Key Ring.

Key ring name: crossmint-keys (or your preferred name)
Location: Select a region, e.g. us-west1

Create an Asymmetric Signing Key

Inside your key ring, click Create Key with the following settings:

Setting	Value
Key name	`my-crossmint-wallet-key`
Protection level	HSM (Hardware Security Module)
Key material	HSM-generated key
Purpose	Asymmetric Sign
Algorithm	Elliptic Curve secp256k1 - SHA256 Digest

You must use the secp256k1 curve for EVM-compatible wallets. Other curves (e.g. P-256) will not produce valid Ethereum signatures.

Download the Public Key

Once the key is created, click on the key version, select Get Public Key, and download it in PEM format.

Save the contents — you will need this PEM string in later steps. It looks like:

-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE...
-----END PUBLIC KEY-----

Set Up IAM Permissions

Create a Service Account

Navigate to IAM & Admin > Service Accounts and create a new service account (e.g. kms-signer-sa).

Grant KMS Permissions

Assign the following role to the service account:

Role: Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

This follows the principle of least privilege — the service account can only sign and verify, not manage or destroy keys.

Deploy a Cloud Run Signing Function

This function receives a digest, signs it with your KMS key, and returns the DER-encoded signature.

Create a Cloud Run Function

Go to Cloud Run Functions and create a new function:

Name: kms-signer-function
Region: Same region as your key ring (e.g. us-west1)
Runtime: Node.js 18+
Authentication: Configure based on your security requirements

For production, restrict access to your Cloud Run function using IAM authentication or VPC Service Controls. Allowing unauthenticated access is only suitable for development.

Set Environment Variables

In the Cloud Run function settings, go to the Containers tab, expand Edit Container, then select the Variables & Secrets tab. Add the following environment variables. To get these values, use Copy resource name from the same key version actions menu where you downloaded the public key — it gives you a path like projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/VERSION.

Variable	Example Value
`PROJECT_ID`	`crossmint-test-462521`
`LOCATION`	`us-west1`
`KEY_RING`	`crossmint-keys`
`KEY_NAME`	`my-crossmint-wallet-key`
`VERSION`	`1`

Add the Function Code

Set the Function entry point to signDigest, then paste the following code:

index.js

const { KeyManagementServiceClient } = require("@google-cloud/kms");
const client = new KeyManagementServiceClient();

exports.signDigest = async (req, res) => {
    try {
        const { digest } = req.body;

        const keyName = client.cryptoKeyVersionPath(
            process.env.PROJECT_ID,
            process.env.LOCATION,
            process.env.KEY_RING,
            process.env.KEY_NAME,
            process.env.VERSION || "1"
        );

        const [signResponse] = await client.asymmetricSign({
            name: keyName,
            digest: { sha256: Buffer.from(digest, "hex") },
        });

        res.status(200).send({
            derSignature: Buffer.from(signResponse.signature).toString("hex"),
        });
    } catch (error) {
        res.status(500).send({ error: error.message });
    }
};

Add @google-cloud/kms to your function’s package.json dependencies:

Deploy and Test

Deploy the function and note the URL — you will need it in the next step.Test with a sample request:

curl -X POST https://YOUR_FUNCTION_URL \
  -H "Content-Type: application/json" \
  -d '{"digest": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"}'

You should receive a JSON response containing a derSignature field.

Create and Use the Crossmint Wallet

Now wire everything together — convert your KMS public key to an Ethereum address, create a Crossmint wallet, and sign transactions through your Cloud Run function.

Install Dependencies

npm i @crossmint/wallets-sdk viem @peculiar/asn1-schema @peculiar/asn1-x509 buffer

Convert the KMS Public Key to an Ethereum Address

Google Cloud KMS returns public keys in PEM/DER format. This helper extracts the raw public key bytes and converts them to an Ethereum address using viem.

kms-utils.ts

import { publicKeyToAddress } from "viem/accounts";
import { AsnParser } from "@peculiar/asn1-schema";
import { SubjectPublicKeyInfo } from "@peculiar/asn1-x509";
import { Buffer } from "buffer";

export const publicKeyPem = `-----BEGIN PUBLIC KEY-----
YOUR_PUBLIC_KEY_HERE
-----END PUBLIC KEY-----`;

export function kmsPemToEthAddress(pem: string): `0x${string}` {
  const b64 = pem.replace(
    /-----BEGIN PUBLIC KEY-----|-----END PUBLIC KEY-----|\s+/g,
    ""
  );
  const der = Uint8Array.from(Buffer.from(b64, "base64"));
  const spki = AsnParser.parse(der, SubjectPublicKeyInfo);
  const publicKeyHex = `0x${Buffer.from(
    new Uint8Array(spki.subjectPublicKey)
  ).toString("hex")}` as `0x${string}`;
  return publicKeyToAddress(publicKeyHex);
}

Build the KMS Signing Function

Cloud KMS returns DER-encoded signatures. Ethereum requires r, s, v format with EIP-2 low-s normalization. This function handles the full conversion:

kms-signer.ts

import { hashMessage, recoverPublicKey } from "viem";
import { publicKeyToAddress } from "viem/accounts";
import { Buffer } from "buffer";
import { kmsPemToEthAddress, publicKeyPem } from "./kms-utils";

const KMS_SIGNER_URL = "https://YOUR_CLOUD_FUNCTION_URL";

const SECP256K1_N =
    0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n;
const SECP256K1_HALF_N = SECP256K1_N / 2n;

function derToRS(derHex: string): { r: bigint; s: bigint } {
    const bytes = Buffer.from(derHex, "hex");
    let offset = 2; // skip 0x30 + length byte

    offset++; // skip 0x02 tag for r
    const rLen = bytes[offset++];
    const r = BigInt("0x" + bytes.slice(offset, offset + rLen).toString("hex"));
    offset += rLen;

    offset++; // skip 0x02 tag for s
    const sLen = bytes[offset++];
    const s = BigInt("0x" + bytes.slice(offset, offset + sLen).toString("hex"));

    return { r, s };
}

function bigintToHex(value: bigint): `0x${string}` {
    return `0x${value.toString(16).padStart(64, "0")}`;
}

export async function signWithKms(message: `0x${string}`): Promise<`0x${string}`> {
    const digest = hashMessage({ raw: message });

    const response = await fetch(KMS_SIGNER_URL, {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({ digest: digest.slice(2) }),
    });

    if (!response.ok) {
        throw new Error(`KMS signing failed: ${response.statusText}`);
    }

    const { derSignature } = await response.json();
    let { r, s } = derToRS(derSignature);

    // EIP-2 low-s normalization
    if (s > SECP256K1_HALF_N) {
        s = SECP256K1_N - s;
    }

    const rHex = bigintToHex(r);
    const sHex = bigintToHex(s);
    const expectedAddress = kmsPemToEthAddress(publicKeyPem);

    // Recover v by trying both 27 and 28
    for (const v of [27n, 28n]) {
        const sig = `${rHex}${sHex.slice(2)}${
            v === 27n ? "1b" : "1c"
        }` as `0x${string}`;
        const recovered = publicKeyToAddress(
            await recoverPublicKey({ hash: digest, signature: sig })
        );
        if (recovered.toLowerCase() === expectedAddress.toLowerCase()) {
            return sig;
        }
    }

    throw new Error("Could not recover valid signature");
}

Create the Wallet

Use the KMS-derived Ethereum address as the wallet’s recovery signer. The recovery signer is used for wallet recovery and adding new signers — ideal for a server-held KMS key.

create-wallet.ts

import { CrossmintWallets, createCrossmint } from "@crossmint/wallets-sdk";
import { kmsPemToEthAddress, publicKeyPem } from "./kms-utils";
import { signWithKms } from "./kms-signer";

const crossmint = createCrossmint({
    apiKey: "YOUR_CROSSMINT_SERVER_API_KEY",
});
export const crossmintWallets = CrossmintWallets.from(crossmint);

const wallet = await crossmintWallets.createWallet({
    chain: "base-sepolia",
    recovery: {
        type: "external-wallet",
        address: kmsPemToEthAddress(publicKeyPem),
        onSign: async (message) => {
            return signWithKms(message as `0x${string}`);
        },
    },
    alias: "my-crossmint-wallet",
});

Use the Wallet

Once created, retrieve the wallet and use it to sign transactions. Here are a couple of examples:

use-wallet.ts

import { EVMWallet } from "@crossmint/wallets-sdk";
import { kmsPemToEthAddress, publicKeyPem } from "./kms-utils";
import { signWithKms } from "./kms-signer";
import { crossmintWallets } from "./create-wallet";

const wallet = await crossmintWallets.getWallet(
    "evm:alias:my-crossmint-wallet",
    { chain: "base-sepolia" }
);

await wallet.useSigner({
    type: "external-wallet",
    address: kmsPemToEthAddress(publicKeyPem),
    onSign: async (message) => {
        return signWithKms(message as `0x${string}`);
    },
});

// Example: Send tokens
await wallet.send("0xRecipientAddress", "usdxm", "1");

// Example: Send a raw EVM transaction
const evmWallet = EVMWallet.from(wallet);
await evmWallet.sendTransaction({
    to: "0xRecipientAddress",
    value: BigInt(0),
    data: "0x",
});

Security Best Practices

Key rotation caveat: While Cloud KMS supports automatic key rotation, rotating an asymmetric signing key generates a new key pair — which means a new Ethereum address. For wallets, manage key versions carefully and plan migrations accordingly.

Restrict Cloud Run access: Use IAM authentication or VPC Service Controls to ensure only authorized services can call your signing function.
Enable audit logs: Turn on Cloud KMS “Data Access” audit logs to track every signing operation.
Principle of least privilege: Only grant the signerVerifier role — never grant admin or encrypterDecrypter roles to your signing service account.
Environment variables: Never hardcode your Crossmint API key or GCP credentials. Use environment variables or a secrets manager.

How It Works

You create an asymmetric signing key inside AWS KMS — the private key never leaves AWS hardware security modules (HSMs).
An AWS Lambda function sits in front of KMS and signs transaction digests on demand.
The Crossmint SDK calls your Lambda function whenever the wallet needs to sign something.
The signature is converted from AWS’s DER format to Ethereum’s r, s, v format, and the Crossmint SDK uses it to complete the transaction.

That is it — your key stays in the HSM, and Crossmint never sees it.

What You Will Build

An asymmetric signing key in AWS KMS (secp256k1)
An IAM role scoped to KMS signing operations
A Lambda function that signs digests via KMS
A Crossmint server wallet using your KMS key as its signer

Prerequisites

An AWS account with appropriate permissions to create KMS keys, IAM roles, Lambda functions, and API Gateway resources
A Crossmint server API key
Node.js 18+

Required AWS IAM Permissions

To complete this setup, your AWS user or role will need the following permissions:

Permission	Purpose
`kms:CreateKey`	Create the KMS asymmetric key for signing
`iam:CreateRole`	Create the IAM role for Lambda execution
`iam:PutRolePolicy`	Attach inline policies to the IAM role
`iam:PutGroupPolicy`	Configure group-level policies if needed
`ec2:DescribeVpcEndpoints`	Configure VPC endpoints for private API access
`apigateway:UpdateRestApiPolicy`	Update API Gateway resource policies

Set Up AWS KMS

This guide is written for EVM-compatible blockchains. The steps for Solana or Stellar are similar, but key settings change. Contact your Crossmint support representative for assistance.

Access AWS KMS

Create a Customer Managed Key

Go to Customer managed keys and click Create key.

Configure Key Settings

Configure your key with the following settings:

Setting	Value
Key type	Asymmetric
Key usage	Sign and verify
Key spec	ECC_SECG_P256K1

The ECC_SECG_P256K1 specification is the secp256k1 elliptic curve, which is the same curve used by Ethereum and other EVM-compatible blockchains for cryptographic operations.

Name Your Key

Give your key a descriptive alias that identifies its purpose, for example: my-crossmint-wallet-key.

Set Permissions

Specify the key administrators and users who should have access to manage and use this key.

Copy the Public Key

After creating the key, navigate to the key’s detail page and go to the Public key tab. Click Download to download the public key in PEM format, or copy the public key content directly.Save the contents — you will need this PEM string in later steps. It looks like:

-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE...
-----END PUBLIC KEY-----

Save this public key securely. You will need it in the next step to derive the Ethereum address for your wallet signer.

Set Up IAM Permissions

Next, create an IAM role that allows your Lambda function to call KMS for signing operations.

In this guide, an AWS Lambda function handles signing requests. However, this architecture can be adapted to run on other compute types such as EC2 instances or ECS containers depending on your infrastructure requirements.

Create a New Role

Search for “IAM” in the AWS Console, navigate to Roles, and click Create role.

Configure Role Type

Keep AWS service selected and choose Lambda under “Service or use case”.

Skip Permission Policies

Skip the permission policies step for now (you will add an inline policy next).

Name the Role

Give your role a descriptive name, for example: kms-signer-role.

Add Inline Policy

From within the new role page, select Add Permissions and then Create inline policy.

Configure the Policy

Set the Policy editor to JSON and add the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["kms:Sign", "kms:GetPublicKey"],
            "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID"
        }
    ]
}

Replace the placeholders with your actual values:

Placeholder	Where to Find It
`REGION`	Your AWS region (e.g., `us-east-1`, `eu-north-1`)
`ACCOUNT_ID`	Click your profile icon in the top-right corner of AWS Console
`KEY_ID`	Found on your KMS key’s dashboard page

This follows the principle of least privilege — the role can only sign and get the public key, not manage or destroy keys.

Save the Policy

Name the policy (e.g., kms.policy) and click “Create policy”.

Deploy a Lambda Signing Function

Now create a Lambda function that will handle signing requests using your KMS key.

Create the Function

Search for “Lambda” in the AWS Console and click Create function. Give your function a name, for example: kms-signer-function.

Configure Execution Role

Under Change default execution role, select Use an existing role. From the Existing role dropdown, select the role you created during IAM Role Setup (e.g., kms-signer-role).

Set Environment Variables

Create a new environment variable KMS_KEY_ID and set it to your KMS key ID. You can find the key ID at the top of the KMS key’s dashboard page.

Add the Function Code

Enter the following code in the Lambda function editor:

View Lambda Function Code

import { KMSClient, SignCommand } from '@aws-sdk/client-kms'

const kms = new KMSClient({})

const KEY_ID = process.env.KMS_KEY_ID
if (!KEY_ID) throw new Error('Missing env var KMS_KEY_ID')

// secp256k1 curve parameters
const SECP256K1_P = BigInt('0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F')
const SECP256K1_N = BigInt('0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141')
const SECP256K1_HALF_N = SECP256K1_N / 2n
const SECP256K1_Gx = BigInt('0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798')
const SECP256K1_Gy = BigInt('0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8')

export const handler = async (event) => {
  const body = typeof event.body === 'string' ? JSON.parse(event.body) : (event.body ?? event)

  const digestInput = body.userOpHash ?? body.useropHash ?? body.hash ?? body.digest
  if (!digestInput) {
    return resp(400, {
      error: 'Missing userOpHash (0x..32 bytes) or digest (0x..32 bytes or base64 32 bytes)'
    })
  }

  const signerAddress = body.signerAddress
  if (!signerAddress || !signerAddress.startsWith('0x') || signerAddress.length !== 42) {
    return resp(400, {
      error: 'Missing or invalid signerAddress (must be 0x-prefixed 20-byte hex address)'
    })
  }

  const digestBytes = parse32ByteDigest(digestInput)
  if (!digestBytes) return resp(400, { error: 'Digest must be 32 bytes (hex 0x.. or base64)' })

  // Apply EIP-191 personal sign prefix before signing
  // This computes: keccak256("\x19Ethereum Signed Message:\n32" + digestBytes)
  const ethSignedHash = hashMessage(digestBytes)

  const out = await kms.send(
    new SignCommand({
      KeyId: KEY_ID,
      Message: ethSignedHash,
      MessageType: 'DIGEST',
      SigningAlgorithm: 'ECDSA_SHA_256'
    })
  )

  if (!out.Signature) return resp(500, { error: 'KMS did not return a signature' })

  let { r, s } = derToRS(Buffer.from(out.Signature))

  // Enforce low-s (EIP-2)
  let sBig = BigInt(s)
  let sFlipped = false
  if (sBig > SECP256K1_HALF_N) {
    sBig = SECP256K1_N - sBig
    s = toPaddedHex(sBig, 32)
    sFlipped = true
  }

  // Determine the correct recovery parameter by trying both and comparing addresses
  const rBig = BigInt(r)
  const hashBig = BigInt('0x' + Buffer.from(ethSignedHash).toString('hex'))

  let correctV = null
  const recoveredAddresses = []
  for (const recoveryParam of [0, 1]) {
    try {
      const recoveredPubKey = ecrecover(hashBig, rBig, sBig, recoveryParam)
      if (!recoveredPubKey) {
        recoveredAddresses.push({ v: recoveryParam + 27, error: 'recovery returned null' })
        continue
      }
      
      const recoveredAddress = pubKeyToAddress(recoveredPubKey)
      recoveredAddresses.push({ v: recoveryParam + 27, address: recoveredAddress })
      
      if (recoveredAddress.toLowerCase() === signerAddress.toLowerCase()) {
        correctV = recoveryParam + 27
        break
      }
    } catch (err) {
      recoveredAddresses.push({ v: recoveryParam + 27, error: err.message })
    }
  }

  if (correctV === null) {
    return resp(500, { 
      error: 'Failed to determine correct signature recovery parameter. Verify signerAddress matches the KMS key.',
      debug: {
        expectedAddress: signerAddress,
        recoveredAddresses,
        r,
        s
      }
    })
  }

  const signature = hexConcat([r, s, toPaddedHex(BigInt(correctV), 1)])

  return {
    statusCode: 200,
    headers: { 'content-type': 'application/json' },
    body: JSON.stringify({ signature })
  }
}

function resp(statusCode, body) {
  return { statusCode, headers: { 'content-type': 'application/json' }, body: JSON.stringify(body) }
}

// EIP-191 personal sign: keccak256("\x19Ethereum Signed Message:\n" + len + message)
function hashMessage(messageBytes) {
  const prefix = Buffer.from(`\x19Ethereum Signed Message:\n${messageBytes.length}`, 'utf8')
  const prefixedMessage = Buffer.concat([prefix, messageBytes])
  return Buffer.from(keccak256(prefixedMessage))
}

function parse32ByteDigest(input) {
  if (typeof input !== 'string') return null
  if (input.startsWith('0x')) {
    try {
      const bytes = Buffer.from(input.slice(2), 'hex')
      return bytes.length === 32 ? bytes : null
    } catch {
      return null
    }
  }
  try {
    const bytes = Buffer.from(input, 'base64')
    return bytes.length === 32 ? bytes : null
  } catch {
    return null
  }
}

function derToRS(der) {
  let i = 0
  if (der[i++] !== 0x30) throw new Error('Invalid DER: expected SEQUENCE')
  const seq = readDerLen(der, i)
  i = seq.next
  if (der[i++] !== 0x02) throw new Error('Invalid DER: expected INTEGER (r)')
  const rLen = readDerLen(der, i)
  i = rLen.next
  const rBytes = der.slice(i, i + rLen.len)
  i += rLen.len
  if (der[i++] !== 0x02) throw new Error('Invalid DER: expected INTEGER (s)')
  const sLen = readDerLen(der, i)
  i = sLen.next
  const sBytes = der.slice(i, i + sLen.len)
  return { r: bytesToPaddedHex(stripLeadingZero(rBytes), 32), s: bytesToPaddedHex(stripLeadingZero(sBytes), 32) }
}

function readDerLen(buf, offset) {
  const first = buf[offset]
  if (first < 0x80) return { len: first, next: offset + 1 }
  const n = first & 0x7f
  let len = 0
  for (let j = 0; j < n; j++) len = (len << 8) | buf[offset + 1 + j]
  return { len, next: offset + 1 + n }
}

function stripLeadingZero(b) {
  return (b.length > 1 && b[0] === 0x00) ? b.slice(1) : b
}

function bytesToPaddedHex(b, size) {
  return '0x' + Buffer.from(b).toString('hex').padStart(size * 2, '0')
}

function toPaddedHex(n, size) {
  let hex = n.toString(16)
  if (hex.length > size * 2) hex = hex.slice(-size * 2)
  return '0x' + hex.padStart(size * 2, '0')
}

function hexConcat(parts) {
  return '0x' + parts.map((p) => (p.startsWith('0x') ? p.slice(2) : p)).join('')
}

// ============================================================================
// Pure JavaScript secp256k1 ecrecover implementation
// ============================================================================

// Modular arithmetic helpers
function mod(a, m) {
  const result = a % m
  return result >= 0n ? result : result + m
}

function modInverse(a, m) {
  a = mod(a, m) // Ensure a is positive before computing inverse
  if (a === 0n) throw new Error('No modular inverse for 0')
  let [old_r, r] = [a, m]
  let [old_s, s] = [1n, 0n]
  while (r !== 0n) {
    const q = old_r / r
    ;[old_r, r] = [r, old_r - q * r]
    ;[old_s, s] = [s, old_s - q * s]
  }
  return mod(old_s, m)
}

function modPow(base, exp, m) {
  let result = 1n
  base = mod(base, m)
  while (exp > 0n) {
    if (exp % 2n === 1n) result = mod(result * base, m)
    exp = exp / 2n
    base = mod(base * base, m)
  }
  return result
}

// Elliptic curve point operations (affine coordinates)
function pointAdd(p1, p2) {
  if (p1 === null) return p2
  if (p2 === null) return p1
  
  const [x1, y1] = p1
  const [x2, y2] = p2
  
  if (x1 === x2) {
    if (y1 !== y2) return null // point at infinity
    // Point doubling
    const s = mod(3n * x1 * x1 * modInverse(2n * y1, SECP256K1_P), SECP256K1_P)
    const x3 = mod(s * s - 2n * x1, SECP256K1_P)
    const y3 = mod(s * (x1 - x3) - y1, SECP256K1_P)
    return [x3, y3]
  }
  
  const s = mod((y2 - y1) * modInverse(x2 - x1, SECP256K1_P), SECP256K1_P)
  const x3 = mod(s * s - x1 - x2, SECP256K1_P)
  const y3 = mod(s * (x1 - x3) - y1, SECP256K1_P)
  return [x3, y3]
}

function pointMul(k, point) {
  let result = null
  let addend = point
  while (k > 0n) {
    if (k & 1n) result = pointAdd(result, addend)
    addend = pointAdd(addend, addend)
    k >>= 1n
  }
  return result
}

// Recover y-coordinate from x-coordinate on secp256k1
function recoverY(x, isOdd) {
  // y² = x³ + 7 (mod p)
  const ySquared = mod(modPow(x, 3n, SECP256K1_P) + 7n, SECP256K1_P)
  // y = ySquared^((p+1)/4) mod p (works because p ≡ 3 mod 4)
  const y = modPow(ySquared, (SECP256K1_P + 1n) / 4n, SECP256K1_P)
  // Verify
  if (mod(y * y, SECP256K1_P) !== ySquared) return null
  // Return the y with correct parity
  const yIsOdd = (y & 1n) === 1n
  return yIsOdd === isOdd ? y : mod(-y, SECP256K1_P)
}

// ecrecover: recover public key from signature
function ecrecover(msgHash, r, s, recoveryParam) {
  // Recover the point R from r and recoveryParam
  const isOdd = (recoveryParam & 1) === 1
  const x = r
  const y = recoverY(x, isOdd)
  if (y === null) return null
  
  const R = [x, y]
  const G = [SECP256K1_Gx, SECP256K1_Gy]
  
  // Public key P = r^(-1) * (s*R - e*G)
  const rInv = modInverse(r, SECP256K1_N)
  const u1 = mod(-msgHash * rInv, SECP256K1_N)
  const u2 = mod(s * rInv, SECP256K1_N)
  
  const point1 = pointMul(u1, G)
  const point2 = pointMul(u2, R)
  const pubKeyPoint = pointAdd(point1, point2)
  
  if (pubKeyPoint === null) return null
  
  // Return uncompressed public key (65 bytes: 0x04 || x || y)
  const xHex = pubKeyPoint[0].toString(16).padStart(64, '0')
  const yHex = pubKeyPoint[1].toString(16).padStart(64, '0')
  return Buffer.from('04' + xHex + yHex, 'hex')
}

function pubKeyToAddress(pubKey) {
  // Skip the 0x04 prefix and hash the 64 bytes
  const hash = keccak256(pubKey.slice(1))
  return '0x' + Buffer.from(hash.slice(12)).toString('hex')
}

// ============================================================================
// Pure JavaScript Keccak-256 implementation (no external dependencies)
// ============================================================================
const KECCAK_ROUNDS = 24
const ROTC = [1,3,6,10,15,21,28,36,45,55,2,14,27,41,56,8,25,43,62,18,39,61,20,44]
const PILN = [10,7,11,17,18,3,5,16,8,21,24,4,15,23,19,13,12,2,20,14,22,9,6,1]
const RNDC = [
  0x0000000000000001n, 0x0000000000008082n, 0x800000000000808an, 0x8000000080008000n,
  0x000000000000808bn, 0x0000000080000001n, 0x8000000080008081n, 0x8000000000008009n,
  0x000000000000008an, 0x0000000000000088n, 0x0000000080008009n, 0x000000008000000an,
  0x000000008000808bn, 0x800000000000008bn, 0x8000000000008089n, 0x8000000000008003n,
  0x8000000000008002n, 0x8000000000000080n, 0x000000000000800an, 0x800000008000000an,
  0x8000000080008081n, 0x8000000000008080n, 0x0000000080000001n, 0x8000000080008008n
]

function rotl64(x, n) {
  n = BigInt(n)
  return ((x << n) | (x >> (64n - n))) & 0xffffffffffffffffn
}

function keccakF(state) {
  for (let round = 0; round < KECCAK_ROUNDS; round++) {
    // Theta
    const C = new Array(5)
    for (let x = 0; x < 5; x++) {
      C[x] = state[x] ^ state[x + 5] ^ state[x + 10] ^ state[x + 15] ^ state[x + 20]
    }
    const D = new Array(5)
    for (let x = 0; x < 5; x++) {
      D[x] = C[(x + 4) % 5] ^ rotl64(C[(x + 1) % 5], 1)
    }
    for (let x = 0; x < 5; x++) {
      for (let y = 0; y < 5; y++) {
        state[x + y * 5] ^= D[x]
      }
    }

    // Rho and Pi
    let t = state[1]
    for (let i = 0; i < 24; i++) {
      const j = PILN[i]
      const temp = state[j]
      state[j] = rotl64(t, ROTC[i])
      t = temp
    }

    // Chi
    for (let y = 0; y < 5; y++) {
      const row = [state[y * 5], state[y * 5 + 1], state[y * 5 + 2], state[y * 5 + 3], state[y * 5 + 4]]
      for (let x = 0; x < 5; x++) {
        state[y * 5 + x] = row[x] ^ ((~row[(x + 1) % 5]) & row[(x + 2) % 5])
      }
    }

    // Iota
    state[0] ^= RNDC[round]
  }
}

function keccak256(input) {
  const inputBytes = Buffer.isBuffer(input) ? input : Buffer.from(input)
  const rate = 136 // (1600 - 256 * 2) / 8 for keccak-256
  const state = new Array(25).fill(0n)

  // Pad the input: append 0x01, then zeros, then 0x80
  const padLen = rate - (inputBytes.length % rate)
  const padded = Buffer.alloc(inputBytes.length + padLen)
  inputBytes.copy(padded)
  padded[inputBytes.length] = 0x01
  padded[padded.length - 1] |= 0x80

  // Absorb
  for (let offset = 0; offset < padded.length; offset += rate) {
    for (let i = 0; i < rate / 8; i++) {
      const lane = padded.readBigUInt64LE(offset + i * 8)
      state[i] ^= lane
    }
    keccakF(state)
  }

  // Squeeze (just 32 bytes for keccak-256)
  const output = Buffer.alloc(32)
  for (let i = 0; i < 4; i++) {
    output.writeBigUInt64LE(state[i], i * 8)
  }
  return output
}

Deploy the Function

Click Deploy to save and deploy your Lambda function

Expose Function as HTTP Endpoint

Make the function accessible to your application via an HTTP endpoint.The simplest approach is to enable a Lambda Function URL — a built-in HTTPS endpoint with no extra infrastructure:

Open your Lambda function

In the AWS Console, navigate to your Lambda function and go to the Configuration tab.

Create Function URL

Select Function URL in the left panel, then click Create function URL.

Set Auth Type

Choose NONE for auth type (simplest for development). For production, use AWS_IAM and sign requests with SigV4.

Copy the URL

Copy the Function URL — you will use this as KMS_SIGNER_URL in your application code.

A Function URL with auth type NONE is publicly accessible. For production, use AWS_IAM auth or put the Lambda behind an API Gateway with IAM authorization. See the advanced setup below.

Advanced: Create an API Gateway with IAM Auth

For production, you can expose the function via API Gateway with IAM authorization. This requires AWS SigV4-signed requests (e.g., via awscurl).

Create the API

Search for “API Gateway” in the AWS Console and click Create API. Select Build for REST API.

Configure API Settings

Name your API (e.g., KMS Sign API) and select a security policy that meets your requirements.

Create a Method

After creating the API, select Create method with the following settings:

Setting	Value
Method type	POST
Lambda function	Select the Lambda function you created
Authorization (In Method Request Settings)	AWS IAM

Create a Stage

Go to Stages in the left panel and click Create Stage. Name the stage (e.g., prod).

Deploy the API

Go back to API > Resource and select Deploy API. Select the stage you created and click Deploy.

Add Resource Policy

Navigate to Resource policy in the left panel and add the following policy to allow invocations from your AWS account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAnyoneInThisAccount",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:REGION:ACCOUNT_ID:API_ID/*/POST/",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalAccount": "ACCOUNT_ID"
                }
            }
        }
    ]
}

Replace the placeholders with your actual values:

Placeholder	Where to Find It
`REGION`	Your AWS region (e.g., `us-east-1`, `eu-north-1`)
`ACCOUNT_ID`	Click your profile icon in the top-right corner of AWS Console
`API_ID`	Found in the API Gateway console URL or in the API’s ARN

After adding the policy, click Save and then re-deploy the API to the stage for the changes to take effect.

Save the Invoke URL

Copy the Invoke URL for your API. You will need this URL to test the endpoint. You can always find this URL under the Stages view.

Grant User Group Access to API Gateway

Add a policy to your user group to allow members to invoke the API Gateway endpoint.

Search for IAM in the AWS Console and navigate to User groups in the left panel.
Select the user group you want to grant access to (or create a new one).
Go to the Permissions tab.
Click Add permissions and select Create inline policy.
Select the JSON tab in the policy editor.
Paste the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:REGION:ACCOUNT_ID:API_ID/STAGE/POST/"
        }
    ]
}

Replace the placeholders with your actual values:

Placeholder	Where to Find It
`REGION`	Your AWS region (e.g., `us-east-1`, `eu-north-1`)
`ACCOUNT_ID`	Click your profile icon in the top-right corner of AWS Console
`API_ID`	Found in the API Gateway console URL or in the API’s ARN
`STAGE`	The stage name you created (e.g., `prod`)

Click Next, give the policy a name (e.g., api-gateway-invoke-policy), and click Create policy.

Test Using AWS CLI

You can invoke the function using the AWS CLI to ensure everything is working correctly.

Open Security Credentials

Click on your username in the top right corner of the AWS Console, then select Security credentials from the dropdown menu.

Create Access Key

Scroll down to the Access keys section and click Create access key.

Select Use Case

Select the use case (e.g., “Command Line Interface (CLI)”) and click Create access key.

Copy Access Keys

Important: Copy both the Access key ID and Secret access key immediately. The secret access key will only be shown once and cannot be retrieved later.

Run AWS Configure

Run aws configure to set up your AWS credentials:

aws configure

Enter Access Key ID

When prompted, enter your AWS Access Key ID: Paste the access key ID you copied in the previous step.

Enter Secret Access Key

Enter your AWS Secret Access Key: Paste the secret access key you copied.

Enter Default Region

Enter your Default region name: Enter your AWS region (e.g., us-east-1, eu-north-1).

Set Output Format

For Default output format: Press Enter to use the default (JSON) or specify json, yaml, text, or table.Your credentials will be stored in ~/.aws/credentials and your configuration in ~/.aws/config.

Install awscurl

Install awscurl to make signed requests to your API:

pip install awscurl

Generate Signature

Run the following command to sign a message using your endpoint:

awscurl --service execute-api --region YOUR_REGION \
    -X POST "https://YOUR_API_ID.execute-api.YOUR_REGION.amazonaws.com/prod/" \
    -d '{"digest":"BASE64_ENCODED_MESSAGE_HASH", "signerAddress":"0xYOUR_KMS_SIGNER_ADDRESS"}'

Replace the placeholders with your actual values:

Placeholder	Description
`YOUR_REGION`	Your AWS region (e.g., `us-east-1`, `eu-north-1`)
`YOUR_API_ID`	Found in the API Gateway console URL or ARN (e.g., if ARN is `arn:aws:execute-api:eu-north-1:257027486036:bho48fe8dl/*/POST/`, then `API_ID` is `bho48fe8dl`)
`BASE64_ENCODED_MESSAGE_HASH`	The base64-encoded message hash returned from wallet APIs
`0xYOUR_KMS_SIGNER_ADDRESS`	The Ethereum address derived from your KMS public key (from step 3)

Create and Use the Crossmint Wallet

Now wire everything together — convert your KMS public key to an Ethereum address, create a Crossmint wallet, and sign transactions through your Lambda function.

Install Dependencies

npm i @crossmint/wallets-sdk viem @peculiar/asn1-schema @peculiar/asn1-x509 buffer

Convert the KMS Public Key to an Ethereum Address

AWS KMS provides the public key in PEM format. You need to convert it to an Ethereum address. The code below handles this conversion by parsing the PEM-encoded public key and deriving the corresponding Ethereum address.

Replace the publicKeyPem placeholder with the public key you copied from AWS KMS in the previous step.

kms-utils.ts

import { publicKeyToAddress } from "viem/accounts";
import { AsnParser } from "@peculiar/asn1-schema";
import { SubjectPublicKeyInfo } from "@peculiar/asn1-x509";
import { Buffer } from "buffer";

// Paste the public key from your AWS KMS key here
export const publicKeyPem = `-----BEGIN PUBLIC KEY-----
YOUR_KMS_PUBLIC_KEY_HERE
-----END PUBLIC KEY-----
`;

function pemToDer(pem: string): Uint8Array {
    const b64 = pem
        .replace(/-----BEGIN PUBLIC KEY-----/g, "")
        .replace(/-----END PUBLIC KEY-----/g, "")
        .replace(/\s+/g, "");
    return Uint8Array.from(Buffer.from(b64, "base64"));
}

export function kmsPemToEthAddress(pem: string): `0x${string}` {
    const der = pemToDer(pem);

    // Parse SPKI and extract the BIT STRING (the actual EC point bytes)
    const spki = AsnParser.parse(der, SubjectPublicKeyInfo);
    const uncompressed = new Uint8Array(spki.subjectPublicKey); // 65 bytes: 04 || X || Y

    if (uncompressed.length !== 65 || uncompressed[0] !== 0x04) {
        throw new Error("Expected uncompressed secp256k1 public key (65 bytes starting with 0x04).");
    }

    const publicKeyHex = `0x${Buffer.from(uncompressed).toString("hex")}` as `0x${string}`;
    return publicKeyToAddress(publicKeyHex);
}

The @peculiar/asn1-schema and @peculiar/asn1-x509 packages were already installed in the “Install Dependencies” step above.

Build the KMS Signing Function

The Lambda function from the previous step handles DER-to-Ethereum signature conversion and EIP-2 low-s normalization. This client-side function calls your Lambda and returns the resulting signature:

This example uses a plain fetch call, which works with Lambda Function URLs (auth type NONE). If you set up API Gateway with IAM auth instead, you will need to sign requests with AWS SigV4 — use awscurl for testing (see the “Test Using AWS CLI” section above).

kms-signer.ts

import { kmsPemToEthAddress, publicKeyPem } from "./kms-utils";

const KMS_SIGNER_URL = "https://YOUR_LAMBDA_FUNCTION_URL";

export async function signWithKms(message: `0x${string}`): Promise<`0x${string}`> {
    const expectedAddress = kmsPemToEthAddress(publicKeyPem);

    const response = await fetch(KMS_SIGNER_URL, {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({
            hash: message,
            signerAddress: expectedAddress,
        }),
    });

    if (!response.ok) {
        throw new Error(`KMS signing failed: ${response.statusText}`);
    }

    const { signature } = await response.json();
    return signature as `0x${string}`;
}

Create the Wallet

Use the KMS-derived Ethereum address as the wallet’s recovery signer. The recovery signer is used for wallet recovery and adding new signers — ideal for a server-held KMS key.

create-wallet.ts

import { CrossmintWallets, createCrossmint } from "@crossmint/wallets-sdk";
import { kmsPemToEthAddress, publicKeyPem } from "./kms-utils";
import { signWithKms } from "./kms-signer";

const crossmint = createCrossmint({
    apiKey: "YOUR_CROSSMINT_SERVER_API_KEY",
});
export const crossmintWallets = CrossmintWallets.from(crossmint);

const wallet = await crossmintWallets.createWallet({
    chain: "base-sepolia",
    recovery: {
        type: "external-wallet",
        address: kmsPemToEthAddress(publicKeyPem),
        onSign: async (message) => {
            return signWithKms(message as `0x${string}`);
        },
    },
    alias: "my-crossmint-wallet",
});

Use the Wallet

Once created, retrieve the wallet and use it to sign transactions. Here are a couple of examples:

use-wallet.ts

import { EVMWallet } from "@crossmint/wallets-sdk";
import { kmsPemToEthAddress, publicKeyPem } from "./kms-utils";
import { signWithKms } from "./kms-signer";
import { crossmintWallets } from "./create-wallet";

const wallet = await crossmintWallets.getWallet(
    "evm:alias:my-crossmint-wallet",
    { chain: "base-sepolia" }
);

await wallet.useSigner({
    type: "external-wallet",
    address: kmsPemToEthAddress(publicKeyPem),
    onSign: async (message) => {
        return signWithKms(message as `0x${string}`);
    },
});

// Example: Send tokens
await wallet.send("0xRecipientAddress", "usdxm", "1");

// Example: Send a raw EVM transaction
const evmWallet = EVMWallet.from(wallet);
await evmWallet.sendTransaction({
    to: "0xRecipientAddress",
    value: BigInt(0),
    data: "0x",
});

Security Best Practices

Key rotation caveat: While AWS KMS supports automatic key rotation, rotating an asymmetric signing key generates a new key pair — which means a new Ethereum address. For wallets, manage key versions carefully and plan migrations accordingly.

Restrict Lambda access: Use IAM authentication or VPC endpoints to ensure only authorized services can call your signing function.
Enable audit logs: Turn on AWS CloudTrail to log all KMS and Lambda operations.
Principle of least privilege: Only grant kms:Sign and kms:GetPublicKey — never grant broader KMS permissions to your signing role.
Environment variables: Never hardcode your Crossmint API key or AWS credentials. Use environment variables or AWS Secrets Manager.

Introduction

Quickstarts ⚡️

Concepts

Guides

API Reference

How It Works

What You Will Build

Prerequisites

Set Up Google Cloud KMS

Set Up IAM Permissions

Deploy a Cloud Run Signing Function

Create and Use the Crossmint Wallet

Install Dependencies

Convert the KMS Public Key to an Ethereum Address

Build the KMS Signing Function

Create the Wallet

Use the Wallet

Security Best Practices

How It Works

What You Will Build

Prerequisites

Set Up AWS KMS

Set Up IAM Permissions

Deploy a Lambda Signing Function

Create and Use the Crossmint Wallet

Install Dependencies

Convert the KMS Public Key to an Ethereum Address

Build the KMS Signing Function

Create the Wallet

Use the Wallet

Security Best Practices

Introduction

Quickstarts ⚡️

Concepts

Guides

API Reference

Documentation Index

​How It Works

​What You Will Build

​Prerequisites

​Set Up Google Cloud KMS

​Set Up IAM Permissions

​Deploy a Cloud Run Signing Function

​Create and Use the Crossmint Wallet

​Install Dependencies

​Convert the KMS Public Key to an Ethereum Address

​Build the KMS Signing Function

​Create the Wallet

​Use the Wallet

​Security Best Practices

​How It Works

​What You Will Build

​Prerequisites

​Set Up AWS KMS

​Set Up IAM Permissions

​Deploy a Lambda Signing Function

​Create and Use the Crossmint Wallet

​Install Dependencies

​Convert the KMS Public Key to an Ethereum Address

​Build the KMS Signing Function

​Create the Wallet

​Use the Wallet

​Security Best Practices

How It Works

What You Will Build

Prerequisites

Set Up Google Cloud KMS

Set Up IAM Permissions

Deploy a Cloud Run Signing Function

Create and Use the Crossmint Wallet

Install Dependencies

Convert the KMS Public Key to an Ethereum Address

Build the KMS Signing Function

Create the Wallet

Use the Wallet

Security Best Practices

How It Works

What You Will Build

Prerequisites

Set Up AWS KMS

Set Up IAM Permissions

Deploy a Lambda Signing Function

Create and Use the Crossmint Wallet

Install Dependencies

Convert the KMS Public Key to an Ethereum Address

Build the KMS Signing Function

Create the Wallet

Use the Wallet

Security Best Practices