View mode Auto Dark Light

Cosmian KMS

The Cosmian KMS is a high-performance, source available, FIPS 140-3 compliant server application written in Rust with unique capabilities.

High-scale, secure encryption, anywhere

• High-performance: Delivers encryption and decryption services at up to millions of operations per second, with master keys held in a secure HSM-backed environment.
• Flexible pricing: Per-CPU pricing with no hidden costs, all connectors are included; deploying any number of servers.
• Runs securely in public clouds: or zero-trust environments using Cosmian VMs available on Azure, GCP, and AWS marketplaces - see our deployment guide.

Standards’ compliance

• FIPS 140-3 mode
• KMIP support (versions 1.0-1.4, 2.0-2.1) in both binary and JSON formats - see KMIP documentation
• HSM support for Trustway Proteccio & Crypt2Pay, Utimaco general purpose, Nitrokey HSM 2, Smartcard HSMs,… with KMS keys wrapped by the HSM
• Developed in Rust, a memory safe language, with the source code available on GitHub
• 100% developed in the European Union

Modern technology

• Source Available server application written in Rust
• Full-featured Web UI with client command line and graphical interface
• Advanced authentication mechanisms
• High-availability mode with simple horizontal scaling
• Multi-language client support: Python, JavaScript, Dart, Rust, C/C++, and Java (see the cloudproof libraries on Cosmian GitHub)
• Advanced logging with OpenTelemetry

Integrations

• Cloud integrations:
  • Azure BYOK
  • GCP CSEK and Google CMEK
  • …
• Workplace security:
  • Google Workspace Client Side Encryption (CSE)
  • Microsoft 365 Double Key Encryption (DKE)
• Transparent data encryption:
  • Veracrypt
  • LUKS
  • VMware
  • Oracle Database TDE,
  • MongoDB,
  • PostgreSQL
  • and more
• Big Data encryption:
  • Snowflake
  • Databricks, Spark,.. UDFs

Three-in-one: Key lifecycle management + Encryption oracle + Public key infrastructure

The Cosmian KMS combines the functions of a Key Management System, an Encryption Oracle, and a Public Key Infrastructure:

• Key Management System: Manages the full key lifecycle, including on-the-fly generation and revocation, including for connected HSMs.
• Encryption Oracle: Provides high-availability, high-scalability encryption and decryption operations at millions of operations per second with HSM-backed security.
• PKI: Manages root and intermediate certificates, signs and verifies certificates, and uses public keys for encryption/decryption. Certificates can be exported in various formats (including PKCS#12) for applications like S/MIME encrypted emails.

The Cosmian KMS supports all standard NIST cryptographic algorithms as well as advanced post-quantum cryptography algorithms like Covercrypt. See the complete supported algorithms list.

Deployment options

The Cosmian KMS is available as:

• Package: Debian or RPM
• Docker: Standard image and FIPS image
• Pre-built binaries for Linux, Windows, and macOS

User Interface

The Cosmian KMS includes an intuitive graphical user interface (GUI) with support for client certificate and OIDC token authentication.

Figure 1: Cosmian KMS UI

Client CLI

The Cosmian CLI provides a powerful command-line interface for managing the server, handling keys, and performing encryption/decryption operations. It features integrated help and is available for multiple operating systems.

The Cosmian CLI is packaged as:

• Debian or RPM package
• Pre-built binaries for Linux, Windows, and macOS

Note: ckms has been replaced by Cosmian CLI to manage other Cosmian products.