View mode Auto Dark Light

Command line arguments

Cosmian Key Management Service

Usage: cosmian_kms [OPTIONS] [KEY_ENCRYPTION_KEY]

Arguments: [KEY_ENCRYPTION_KEY] Force all keys imported or created in the KMS, which are not protected by a key encryption key, to be wrapped by the specified key encryption key (KEK)

Options: –database-type The main database of the KMS server that holds default cryptographic objects and permissions. - postgresql: PostgreSQL. The database URL must be provided - mysql: MySql or MariaDB. The database URL must be provided - sqlite: SQLite. The data will be stored at the sqlite_path directory A key must be supplied on every call - redis-findex [non-FIPS]: a Redis database with encrypted data and indexes thanks to Findex. The Redis URL must be provided, as well as the redis-master-password and the redis-findex-label [env: KMS_DATABASE_TYPE=] [possible values: postgresql, mysql, sqlite] –database-url The URL of the database for Postgres, MySQL, or Findex-Redis [env: KMS_DATABASE_URL=] –sqlite-path The directory path of the SQLite [env: KMS_SQLITE_PATH=] [default: ./sqlite-data] –clear-database Clear the database on start. WARNING: This will delete ALL the data in the database [env: KMS_CLEAR_DATABASE=] –unwrapped-cache-max-age When a wrapped object is fetched from the database, it is unwrapped and stored in the unwrapped cache. This option specifies the maximum age in minutes of the unwrapped objects in the cache after its last use. The default is 15 minutes. About 2/3 of the objects will be evicted after this time; the other 1/3 will be evicted after a maximum of 150% of the time. [env: KMS_UNWRAPPED_CACHE_MAX_AGE=] [default: 15] –socket-server-start Start the KMIP socket server? If this is set to true, the TLS config must be provided, featuring a server PKCS#12 file and a client certificate authority certificate file [env: KMS_SOCKET_SERVER_START=] –socket-server-port The KMS socket server port [env: KMS_SOCKET_SERVER_PORT=] [default: 5696] –socket-server-hostname The KMS socket server hostname [env: KMS_SOCKET_SERVER_HOSTNAME=] [default: 0.0.0.0] –tls-p12-file The KMS server optional PKCS#12 Certificates and Key file. Mandatory when starting the socket server. When provided, the Socket and HTTP server will start in TLS Mode. [env: KMS_TLS_P12_FILE=] –tls-p12-password The password to open the PKCS#12 Certificates and Key file [env: KMS_TLS_P12_PASSWORD=] –clients-ca-cert-file The server’s optional X. 509 certificate in PEM format validates the client certificate presented for authentication. If provided, clients must present a certificate signed by this authority for authentication. Mandatory to start the socket server. [env: KMS_CLIENTS_CA_CERT_FILE=] –tls-cipher-suites Colon-separated list of TLS cipher suites to enable: Example: –tls-cipher-suites "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" If not specified, OpenSSL default cipher suites will be used: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:\ ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:\ ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\ ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\ DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\ EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:\ AES256-SHA:DES-CBC3-SHA:!DSS” Otherwise, ANSSI-recommended cipher suites (RFC 8446 compliant) are: - For TLS 1.3 (preferred): TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256 - For TLS 1.2 (compatibility): TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [env: KMS_TLS_CIPHER_SUITES=] –port The KMS HTTP server port [env: KMS_PORT=] [default: 9998] –hostname The KMS HTTP server hostname [env: KMS_HOSTNAME=] [default: 0.0.0.0] –api-token-id An optional API token to use for authentication on the HTTP server. [env: KMS_API_TOKEN=] –https-p12-file DEPRECATED: use the TLS section instead. The KMS server optional PKCS#12 Certificates and Key file. If provided, this will start the server in HTTPS mode. [env: KMS_HTTPS_P12_FILE=] –https-p12-password DEPRECATED: use the TLS section instead. The password to open the PKCS#12 Certificates and Key file. [env: KMS_HTTPS_P12_PASSWORD=] –authority-cert-file DEPRECATED: use the TLS section instead. The server’s optional X. 509 certificate in PEM format validates the client certificate presented for authentication. If provided, clients must present a certificate signed by this authority for authentication. The server must run in TLS mode for this to be used. [env: KMS_AUTHORITY_CERT_FILE=] –proxy-url The proxy URL: - e.g., https://secure.example for an HTTP proxy - e.g., socks5://192.168.1.1:9000 for a SOCKS proxy [env: KMS_PROXY_URL=] –proxy-basic-auth-username Set the Proxy-Authorization header username using Basic auth. [env: KMS_PROXY_BASIC_AUTH_USERNAME=] –proxy-basic-auth-password Set the Proxy-Authorization header password using Basic auth. [env: KMS_PROXY_BASIC_AUTH_PASSWORD=] –proxy-custom-auth-header Set the Proxy-Authorization header to a specified value. [env: KMS_PROXY_CUSTOM_AUTH_HEADER=] –proxy-exclusion-list The No Proxy exclusion list to this Proxy [env: KMS_PROXY_NO_PROXY=] –jwt-issuer-uri DEPRECATED: use the Idp config section instead. JWT authentication issuer URI [env: KMS_JWT_ISSUER_URI=] –jwks-uri DEPRECATED: use the Idp config section instead. JWT authentication JWKS URI [env: KMS_JWKS_URI=] –jwt-audience DEPRECATED: use the Idp config section instead. JWT authentication audience [env: KMS_JWT_AUDIENCE=] –jwt-auth-provider JWT authentication provider configuration [env: KMS_JWT_AUTH_PROVIDER=] -u, –ui-index-html-folder The UI distribution folder [env: COSMIAN_UI_DIST_PATH=] [default: /usr/local/cosmian/ui/dist/] –ui-oidc-client-id The client ID of the configured OIDC tenant for UI Auth [env: UI_OIDC_CLIENT_ID=] –ui-oidc-client-secret The client secret of the configured OIDC tenant for UI Auth [env: UI_OIDC_CLIENT_SECRET=] –ui-oidc-issuer-url The issuer URI of the configured OIDC tenant for UI Auth [env: UI_OIDC_ISSUER_URL=] –ui-oidc-logout-url The logout URI of the configured OIDC tenant for UI Auth [env: UI_OIDC_LOGOUT_URL=] –google-cse-enable This setting turns on endpoints handling Google CSE feature [env: KMS_GOOGLE_CSE_ENABLE=] –google-cse-disable-tokens-validation This setting turns off the validation of the tokens used by this server’s Google Workspace CSE feature [env: KMS_GOOGLE_CSE_DISABLE_TOKENS_VALIDATION=] –google-cse-incoming-url-whitelist This setting contains the list of KACLS server URLs that can access this server for Google CSE migration, through the privilegedunwrap endpoint (used to fetch exposed jwks on server start) [env: KMS_GOOGLE_CSE_INCOMING_URL_WHITELIST=] –google-cse-migration-key PEM PKCS8 RSA private key used to ensure consistency of certificate handling and privileged unwrap operations across server restarts and multiple server instances. If not provided, a random key will be generated at server startup [env: KMS_GOOGLE_CSE_MIGRATION_KEY=] –root-data-path The root folder where the KMS will store its data A relative path is taken relative to the user’s HOME directory [env: KMS_ROOT_DATA_PATH=] [default: ./cosmian-kms] –tmp-path The folder to store temporary data (non-persistent data readable by no one but the current instance during the current execution) [env: KMS_TMP_PATH=] [default: /tmp] –default-username The default username to use when no authentication method is provided [env: KMS_DEFAULT_USERNAME=] [default: admin] –force-default-username When an authentication method is provided, perform the authentication but always use the default username instead of the one provided by the authentication method [env: KMS_FORCE_DEFAULT_USERNAME=] –ms-dke-service-url This setting enables the Microsoft Double Key Encryption service feature of this server. [env: KMS_MS_DKE_SERVICE_URL=] –rust-log An alternative to setting the RUST_LOG environment variable. Setting this variable will override the RUST_LOG environment variable [env: KMS_RUST_LOG=] –otlp The OTLP collector URL for gRPC (for instance, http://localhost:4317) If not set, the telemetry system will not be initialized [env: KMS_OTLP_URL=] –quiet Do not log to stdout [env: KMS_LOG_QUIET=] –log-to-syslog Log to syslog [env: KMS_LOG_TO_SYSLOG=] –rolling-log-dir If set, daily rolling logs will be written to the specified directory using the name specified by rolling_log_name: .YYYY-MM-DD. [env: KMS_ROLLING_LOG_DIR=] –rolling-log-name If rolling_log_dir is set, this is the name of the rolling log file: .YYYY-MM-DD. Defaults to “kms” if not set. [env: KMS_ROLLING_LOG_NAME=] –enable-metering Enable metering in addition to tracing when telemetry is enabled [env: KMS_ENABLE_METERING=] –environment The name of the environment (development, test, production, etc.) This will be added to the telemetry data if telemetry is enabled [env: KMS_ENVIRONMENT=] [default: development] –ansi-colors Enable ANSI colors in the logs to stdout [env: KMS_ANSI_COLORS=] –info Print the server configuration information and exit –hsm-model The HSM model. Trustway Proteccio and Utimaco General purpose HSMs are supported. [default: proteccio] [possible values: proteccio, utimaco] –hsm-admin The username of the HSM admin. The HSM admin can create objects on the HSM, destroy them, and potentially export them [env: KMS_HSM_ADMIN=] [default: admin] –hsm-slot HSM slot number. The slots used must be listed. Repeat this option to specify multiple slots while specifying a password for each slot (or an empty string for no password) e.g.

  --hsm_slot 1 --hsm_password password1 \
  --hsm_slot 2 --hsm_password password2

–hsm-password Password for the user logging in to the HSM Slot specified with --hsm_slot Provide an empty string for no password see --hsm_slot for more information –kms-public-url The exposed URL of the KMS - this is required if Google CSE configuration is activated. If this server is running on the domain cse.my_domain.com with this public URL, The configured URL from Google admin should be something like https://cse.my_domain.com/google_cse The URL is also used during the authentication flow initiated from the KMS UI. [env: KMS_PUBLIC_URL=] –privileged-users List of users who have the right to create and import Objects and grant access rights for Create Kmip Operation. -h, –help Print help (see more with ‘–help’) -V, –version Print version