Phantom’s Key Management System (KMS) is a secure system Phantom uses to manage certain wallet accounts.
KMS enables features like recoverability, resiliency to attacks, and advanced account policies such as spending limits.
What is KMS?
KMS allows you to securely generate, store, and access wallet keys inside trusted enclaves. Phantom does not export private keys out of the enclave environment, but you can choose to do so for the keys you control.
In Phantom, an account can be backed in two ways:
- KMS account: a reference to a KMS-managed wallet. Wallet keys are stored remotely in a secure enclave, not on your device.
- Local account: an account whose wallet keys are stored on your device.
Rather than storing the wallet's private keys on your device, KMS allows you to store the wallet's private key remotely in a secure enclave and a second cryptographic identifier key on your device that refers to the wallet's private key when you sign transactions. This is how KMS accounts support recovery and access across devices without exposing private keys.
Examples of Phantom features that use KMS accounts
- Phantom Cash uses a KMS account for your Cash account—a separate Solana wallet designed to hold your CASH balance. For more information, see About Phantom Cash.
- Phantom Terminal can use a KMS account to enable faster trading without confirmation pop-ups. For more information, see Why do I see a new account in Phantom after using Phantom Terminal?
How signing works
Signing a transaction with a KMS account works differently than with a local account.
With a local account, Phantom signs transactions directly on your device. With a KMS account, your Phantom app or extension sends a signing request to KMS and receives a signature back. The flow works as follows:
- Your Phantom app or extension sends a signing request to the KMS API.
- KMS authenticates and authorizes the request in a Policy Engine enclave, where permissions and policies are enforced.
- If allowed, signing happens in a Signer enclave.
- KMS returns a signature to Phantom. The signed transaction is then submitted to the network.
Each request to KMS is cryptographically signed using an authenticator keypair that lives on your device. KMS checks that signature and independently enforces policies (like spending limits) before it will sign a transaction.
The authenticator
KMS uses an authenticator to confirm that signing requests are coming from you. The authenticator is a cryptographic identifier key that’s separate from your wallet keys. The authenticator lets your Phantom app or browser extension request signatures from KMS without exposing your private keys.
Where this authenticator lives depends on how you’re using Phantom:
- In the Phantom app or browser extension, it’s stored in Phantom on your device.
- In some experiences (like Phantom Terminal when you sign in with Apple or Google, or some partner apps that use Phantom sign-in), it’s created during setup and stays protected on your device.
How KMS accounts sync between mobile and extension
Phantom stores a reference to a KMS-managed account and can re-discover it when you sign in on another device. The reference helps Phantom find the same KMS account again, and an authenticator on your device is used to access KMS and request signatures.
If you previously connected a third-party app to a KMS account, Phantom can recognize that same KMS account later when you sign in on another device.
Phantom can sync KMS accounts in two ways:
- Sync an existing KMS account. Phantom discovers a KMS account you already have and adds it to your account list.
- Create a new KMS account. When you create a new KMS account, a reference to it is saved so the account can appear on your other devices.
You can see various account types in your Phantom wallet—KMS, local recovery phrases, Ledger hardware wallets, or private keys.