Cosmian KMS is an open-source implementation of a high-performance, massively scalable, Key Management System that presents some unique features, such as
- the ability to run in a public cloud - or any zero-trust environment - using application-level encryption (see Redis-Findex)
- a JSON KMIP 2.1 compliant interface
- support for object tagging to easily manage keys and secrets
- a full-featured command line interface (CLI)
- Python, Javascript, Dart, Rust, C/C++ and Java clients (see the
cloudproooflibraries on Cosmian Github)
It has extensive documentation and is also available packaged as docker images (docker pull ghcr.io/cosmian/kms) to get you started quickly.
The KMS can manage keys and secrets used with a comprehensive list of common (AES, ECIES, ...) and Cosmian advanced cryptographic stacks such as Covercrypt. Keys can be wrapped and unwrapped using ECIES or RFC5649.
The server is written in Rust and is broken down into several binaries:
- A server (
cosmian_kms_server) which is the KMS itself - A CLI (
ckms) to interact with this server
And also some libraries:
cosmian_kms_clientto query the servercosmian_kms_utilsto create KMIP requests for the crypto-systems designed by Cosmiancosmian_kmipwhich is an implementation of the KMIP standardcosmian_kms_pyo3a KMS client in Python.
Please refer to the README of the inner directories to have more information.
The enclave directory contains all the requirements to run the KMS inside an Intel SGX enclave.
You can build a docker containing the KMS server as follow:
# Example with auth and https features
docker build . --network=host \
--build-arg \
-t kmsThe delivery directory contains all the requirements to proceed with a KMS delivery based on a docker creation.
Find the public documentation of the KMS in the documentation directory.
From the root of the project, on your local machine, for developing:
cargo build --no-default-features
cargo test --no-default-featuresAll releases can be found in the public URL package.cosmian.com.