View mode Auto Dark Light

Getting started

The Cosmian KMS is a high-performance, open-source, FIPS 140-3 compliant server application written in Rust that presents some unique features, such as:

• the ability to confidentially run in a public cloud — or any zero-trust environment — using Cosmian VM. See our cloud-ready confidential KMS on the Azure, GCP, and AWS marketplaces and our deployment guide
• support of state-of-the-art authentication mechanisms (see authentication)
• out-of-the-box support of Google Workspace Client Side Encryption (CSE)
• out-of-the-box support of Microsoft Double Key Encryption (DKE)
• support for the Proteccio HSM with KMS keys wrapped by the HSM
• Veracrypt and LUKS disk encryption support
• FIPS 140-3 mode gated behind the feature fips
• a JSON KMIP 2.1 compliant interface
• a full-featured client command line and graphical interface
• a high-availability mode with simple horizontal scaling
• a support of Python, Javascript, Dart, Rust, C/C++, and Java clients (see the cloudproof libraries on Cosmian Github)
• integrated with OpenTelemetry

The Cosmian KMS is both a Key Management System and a Public Key Infrastructure. As a KMS, it is designed to manage the lifecycle of keys and provide scalable cryptographic services such as on-the-fly key generation, encryption, and decryption operations.

The Cosmian KMS supports all the standard NIST cryptographic algorithms as well as advanced post-quantum cryptography algorithms such as Covercrypt. Please refer to the list of supported algorithms.

As a PKI it can manage root and intermediate certificates, sign and verify certificates, use their public keys to encrypt and decrypt data. Certificates can be exported under various formats including PKCS#12 modern and legacy flavor, to be used in various applications, such as in S/MIME encrypted emails.

Easy to deploy

The Cosmian KMS is packaged as:

• Debian or RPM package
• Docker image and FIPS image
• Pre-built binaries for multiple operating systems (Linux, Windows, MacOS)

Client CLI

The Cosmian KMS has an easy-to-use client command line interface built for many operating systems. The Cosmian CLI can manage the server, and the keys and perform operations such as encryption or decryption.

The Cosmian CLI is packaged as:

• Debian or RPM package
• Pre-built binaries for multiple operating systems (Linux, Windows, MacOS)

Note: ckms has been replaced by Cosmian CLI to manage other Cosmian products.

Quick start

To quick-start a Cosmian KMS server on http://localhost:9998 that stores its data inside the container, simply run the following command:

docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.20.1

Using Cosmian CLI, you can easily manage the server:

1) Create a 256-bit symmetric key

cosmian kms sym keys create --number-of-bits 256 --algorithm aes --tag my-file-key
...
The symmetric key was successfully generated.
      Unique identifier: 87e9e2a8-4538-4701-aa8c-e3af94e44a9e

2) Encrypt the image.png file with AES GCM using the key

cosmian kms sym encrypt --tag my-file-key --output-file image.enc image.png
...
The encrypted file is available at "image.enc"

3) Decrypt the image.enc file using the key

cosmian kms sym decrypt --tag my-file-key --output-file image2.png image.enc
...
The decrypted file is available at "image2.png"