When users create accounts in a centralised crypto exchange, the keys are managed by the exchange. The users do not own their keys in a centralised crypto exchange. These keys are required when users want to send their crypto to other addresses.

We can use AWS KMS to manage keys of users in a custodian wallet of a centralised exchange. AWS KMS does the key management on behalf of the crypto exchange.

The AWS KMS will only store the Customer Master Key (CMK). The data key can be managed by the users or by AWS encryption SDK. The data key is used to encrypt the secret seed phrase of the user account.

There are alternatives to AWS KMS, such as Hashicorp vault, OpenSSH and Google cloud key management service.

--

--