Cosmian VM KMS

A KMS-ready instance based on Cosmian VM can be deployed on virtual machines that supports AMD SEV-SNP or Intel TDX technologies.

The following steps can help one to deploy its own instance on each available cloud provider.

Please first read the guide about how to setup a Cosmian VM.

Deploy Cosmian VM KMS on a cloud provider 🚚¶

Go the Cosmian marketplace webpage of the chosen cloud provider.

Select an OS and continue until the Cosmian VM KMS instance is spawned.

The Cosmian VM KMS contains:

a ready-to-go Nginx setup
a KMS service which is ready but not started yet (needs a valid configuration to start)
the Cosmian VM software stack

Snapshot the VM 📸¶

Once the VM is configured as needed, Cosmian VM Agent can do a snapshot of the VM containing fingerprint of the executables and metadata related to TEE and TPM.

Connect to the Cosmian VM KMS using SSH, and start the Cosmian VM Agent service

Remote Cosmian VM KMS

cosmian_vm$ sudo supervisorctl start cosmian_vm_agent

The agent creates an encrypted folder (LUKS container) to store sensitive information, creates self-signed certificate for Nginx and starts a snapshot.

Wait for the agent to initialize the LUKS and generate the certificates. Then Nginx can be started to bridge access to the KMS.

Remote Cosmian VM KMS

cosmian_vm$ until [ -f /var/lib/cosmian_vm/data/cert.pem ]; do sleep 1; done
cosmian_vm$ sudo systemctl start nginx

Configure the KMS 📜¶

It is safe to provide secrets (such as passwords) in the configuration file because this file is going to be stored in the encrypted folder (LUKS) of the Cosmian VM KMS.

KMS minimal configKMS config with Redis

By default a local SQLite database is used as storage engine.

kms.toml

[http]
port = 8080

This port is set accordingly with the one set in Nginx conf.

A database can be specified, for example an external managed Redis with a password

kms.toml

[http]
port = 8080

[db]
database_type = "redis-findex"
database_url = "redis://<some_managed_redis>:6379"
redis_master_password = "master-password"
redis_findex_label = "label"

The DB type redis-findex is a Redis database with encrypted data and encrypted indexes thanks to Cosmian Findex.

The database_url points to the Redis, typically an external managed Redis database.

The redis_master_password is used to encrypt the Redis data and indexes.

The redis_findex_label is a public arbitrary label that can be changed to rotate the Findex ciphertexts without changing the key.

Install the Cosmian VM CLI on a local machine¶

UbuntuMacOS / Windows

Download the binary and allow it to be executed:

On the local machine

$ sudo apt update && sudo apt install -y wget libtss2-dev
$ wget https://github.com/Cosmian/cosmian_vm/releases/latest/download/cosmian_vm
$ chmod +x ./cosmian_vm

Start a Ubuntu-based Docker container and enter it:

On the local machine

$ docker run -it ubuntu:22.04 /bin/bash

Download the binary and allow it to be executed:

In Docker container (local machine)

$ apt update && apt install -y wget libtss2-dev
$ wget https://github.com/Cosmian/cosmian_vm/releases/latest/download/cosmian_vm
$ chmod +x ./cosmian_vm

Deploy the configuration and starts the Cosmian KMS¶

On the local machine

$ ./cosmian_vm --url https://${COSMIAN_VM_KMS_IP_ADDR}:5355 \
            --allow-insecure-tls \
            app init -c kms.toml

Check the connection with the KMS¶

$ curl --insecure https://${COSMIAN_VM_KMS_IP_ADDR}/version
"4.13.3"

Why --allow-insecure-tls and --insecure flags?

When the agent starts (see Snapshot the VM) self-signed certificate is created to enable HTTPS out of the box.

These certificates must be replaced by trusted ones using tools like cosmian_certtool or Linux tools (certbot with Let’s Encrypt for instance).

See how to setup trusted certificates.

Verify the Cosmian VM KMS integrity ✅¶

Verifying trustworthiness of the Cosmian VM KMS is exactly the same process as verifying the Cosmian VM itself.