View mode Auto Dark Light

Cosmian KMS

The Cosmian KMS is a high-performance, **open-source **, FIPS 140-3 compliant server application written in **Rust ** with unique capabilities.

High-scale, secure encryption, anywhere

• High-performance: Delivers encryption and decryption services at up to millions of operations per second, close to the applications that use it, while keeping keys in a secure HSM-backed environment.
• Flexible pricing: Per-CPU pricing with no hidden costs for deploying any number of servers.
• Confidential computing: Runs securely in public clouds or zero-trust environments via Cosmian VM. Available on Azure, GCP, and AWS marketplaces - see our deployment guide.

Standards’ compliance

• FIPS 140-3 mode (gated behind the feature fips)
• Full KMIP support (versions 1.0-1.4, 2.0-2.1) in both binary and JSON formats - see KMIP documentation
• HSM support for Trustway Proteccio and Utimaco general purpose HSMs with KMS keys wrapped by the HSM
• 100% developed in the European Union

Modern technology

• Open-source server application written in Rust
• Full-featured Web UI with client command line and graphical interface
• Advanced authentication mechanisms
• High-availability mode with simple horizontal scaling
• Multi-language client support: Python, JavaScript, Dart, Rust, C/C++, and Java (see the cloudproof libraries on Cosmian GitHub)
• Advanced logging with OpenTelemetry

Integrations

• Cloud collaboration security:
  • Google Workspace Client Side Encryption (CSE)
  • Microsoft 365 Double Key Encryption (DKE)
• Disk encryption:
  • Veracrypt
  • LUKS
• Enterprise integrations with VMware, Oracle Database TDE, and more

Three-in-one: KMS + Oracle + PKI

The Cosmian KMS combines the functions of a Key Management System, an Encryption Oracle, and a Public Key Infrastructure:

• Key Management System: Manages the full key lifecycle, including on-the-fly generation and revocation, including for connected HSMs.
• Encryption Oracle: Provides high-availability, high-scalability encryption and decryption operations at millions of operations per second with HSM-backed security.
• PKI: Manages root and intermediate certificates, signs and verifies certificates, and uses public keys for encryption/decryption. Certificates can be exported in various formats (including PKCS#12) for applications like S/MIME encrypted emails.

The Cosmian KMS supports all standard NIST cryptographic algorithms as well as advanced post-quantum cryptography algorithms like Covercrypt. See the complete supported algorithms list.

Deployment options

The Cosmian KMS is available as:

• Package: Debian or RPM
• Docker: Standard image and FIPS image
• Pre-built binaries for Linux, Windows, and macOS

User Interface

The Cosmian KMS includes an intuitive graphical user interface (GUI) with support for client certificate and OIDC token authentication.

Figure 1: Cosmian KMS UI

Client CLI

The Cosmian CLI provides a powerful command-line interface for managing the server, handling keys, and performing encryption/decryption operations. It features integrated help and is available for multiple operating systems.

The Cosmian CLI is packaged as:

• Debian or RPM package
• Pre-built binaries for Linux, Windows, and macOS

Note: ckms has been replaced by Cosmian CLI to manage other Cosmian products.