Why On-Chain KMS
Without on-chain KMS, a TEE provider’s backend decides which CVMs get keys. That’s one trusted party. With on-chain KMS:- No central authority. A smart contract is the only thing that can authorize key release. Phala’s backend does not sign transactions on Lit’s behalf.
- Public, auditable governance. Every code-version whitelist change is a Base transaction. Anyone can read the history on Basescan.
- Multi-party control. The contract owner is a Safe multisig of Lit signers — no single party (including Lit) can change the whitelist alone.
The contracts
Two contracts on Base together gate key release for the Lit Chipotle CVM:Phala KMS — 0x2f83…Ba9C
A shared Phala contract that maintains the registry of KMS nodes, approved dstack OS images, and approved KMS aggregated measurements. It also acts as a factory for per-application DstackApp contracts.
DstackApp — 0x3F91…05FfC
The application-specific contract for Lit Chipotle. Its address is the app_id returned by GET /info. Anyone can confirm this matches:
How key release is gated
The flow on every CVM boot:- The CVM generates an Intel TDX attestation quote covering its hardware, OS, and the compose hash of the code it loaded.
- The KMS verifies the quote against Intel’s root certificates.
- The KMS reads the on-chain state:
- Is the OS image in
Phala KMS.allowedOsImages? - Is the KMS measurement in
Phala KMS.kmsAllowedAggregatedMrs? - Is the compose hash in
DstackApp.allowedComposeHashes? - Is the device ID in
DstackApp.allowedDeviceIds?
- Is the OS image in
- Only if all four pass does the KMS release the keys this CVM is allowed to use.
Confirming the KMS is active
“Active” for on-chain KMS means three things hold simultaneously. You can verify each on Basescan or withcast.
1. The live compose hash is whitelisted
true here proves the currently-running code is authorized by on-chain governance. A false would mean the CVM is running code that the KMS would refuse to release keys to — which should never happen in production, because the CVM cannot boot without keys.
2. The DstackApp owner is the Safe multisig
0xF688…1098 requires multiple signers to approve any change.
3. The CVM’s app_id matches the DstackApp address
Auditing the governance history
Every governance action that changed the KMS configuration is a Base transaction. On the DstackApp’s Basescan page, the Transactions tab shows everyaddComposeHash and removeComposeHash call ever made. Each is a Safe execution requiring multiple signatures.
To understand a specific deployment:
- Find the deployment date in Lit’s release notes (or
git log). - Find the
addComposeHashtransaction on Basescan around that date. - Open the Safe transaction (linked from the Basescan tx) — you can see which signers approved it.
What’s next
- Verify in 30 Seconds — the Trust Center one-click report
- Full Verification Guide — replay the RTMR3 event log and check every layer
- Phala: Understanding On-Chain KMS
- Phala: Cloud vs On-Chain KMS