Cosmian KMS is an open-source implementation of a high-performance, massively scalable, Key Management System that presents some unique features, such as
- the ability to run in a public cloud - or any zero-trust environment - using application-level encryption (see Redis-Findex)
- a JSON KMIP 2.1 compliant interface
- support for object tagging to easily manage keys and secrets
- a full-featured command line interface (CLI)
- Python, Javascript, Dart, Rust, C/C++ and Java clients (see the
cloudprooof
libraries on Cosmian Github)
It has extensive documentation and is also available packaged as docker images (docker pull ghcr.io/cosmian/kms
) to get you started quickly.
The KMS can manage keys and secrets used with a comprehensive list of common (AES, ECIES, ...) and Cosmian advanced cryptographic stacks such as Covercrypt. Keys can be wrapped and unwrapped using ECIES or RFC5649.
The server is written in Rust and is broken down into several binaries:
- A server (
cosmian_kms_server
) which is the KMS itself - A CLI (
ckms
) to interact with this server
And also some libraries:
cosmian_kms_client
to query the servercosmian_kms_utils
to create KMIP requests for the crypto-systems designed by Cosmiancosmian_kmip
which is an implementation of the KMIP standardcosmian_kms_pyo3
a KMS client in Python.
Please refer to the README of the inner directories to have more information.
The enclave
directory contains all the requirements to run the KMS inside an Intel SGX enclave.
You can build a docker containing the KMS server as follow:
# Example with auth and https features
docker build . --network=host \
--build-arg \
-t kms
The delivery
directory contains all the requirements to proceed with a KMS delivery based on a docker creation.
Find the public documentation of the KMS in the documentation
directory.
From the root of the project, on your local machine, for developing:
cargo build --no-default-features
cargo test --no-default-features
All releases can be found in the public URL package.cosmian.com.