Cosmian Command Line Interface (CLI)¶
KMS CLI is the Command Line Interface to drive KMS.
KMS CLI provides a powerful interface to manage and secure your cryptographic keys and secrets using the Cosmian Key Management System KMS. The KMS offers a high-performance, scalable solution with unique features such as confidential execution in zero-trust environments, compliance with KMIP 2.1, and support for various cryptographic algorithms and protocols.
Beyond the CLI interface, Cosmian also provides a PKCS#11 library (libcosmian_pkcs11.so) that enables seamless integration with existing cryptographic infrastructure. This library acts as a bridge between applications requiring PKCS#11 interfaces and the Cosmian KMS, providing:
- Database Encryption Support: Integration with Oracle Database Transparent Data Encryption (TDE) for automatic encryption of data at rest, either through Oracle Key Vault or direct HSM communication
- Disk Encryption Support: Compatible with popular disk encryption solutions including VeraCrypt, LUKS, and Cryhod for protecting data on storage devices
The PKCS#11 library enables organizations to leverage Cosmian’s advanced cryptographic capabilities while maintaining compatibility with their existing security infrastructure and workflows.
By leveraging KMS CLI, users can seamlessly integrate advanced cryptographic functionalities and secure search capabilities into their applications, enhancing data security and privacy.
Important
A Web UI version of the CLI is also available when installing the KMS server.
Info
Please download the latest versions for your Operating System from the Cosmian public packages repository See below for installation instructions.
Download package and install it:
Download package and install it:
Download package and install it:
Download package and install it:
Download the DMG installer and install it:
wget https://package.cosmian.com/kms/5.20.1/dmg/arm64/non-fips/static/cosmian-kms-cli-non-fips-static-openssl-5.20.1_arm64.dmg
sudo hdiutil attach cosmian-kms-cli-non-fips-static-openssl-5.20.1_arm64.dmg
sudo installer -pkg /Volumes/cosmian-kms-cli/cosmian-kms-cli.pkg -target /
hdiutil detach /Volumes/cosmian-kms-cli
ckms --version
Configuration¶
To communicate with the KMS, the clients ckms expect the same configuration file. Please read the configuration section.
Usage¶
Usage¶
Command Line Interface used to manage the Cosmian KMS server.
If any assistance is needed, please either visit the Cosmian technical documentation at https://docs.cosmian.com
or contact the Cosmian support team on Discord https://discord.com/invite/7kPMNtHpnz
Usage: ckms [OPTIONS] <COMMAND>
Commands:
access-rights Manage the users' access rights to the cryptographic objects
attributes Get/Set/Delete/Modify the KMIP object attributes
azure Support for Azure specific interactions
aws Support for AWS specific interactions
bench Run benchmarks using criterion for statistical analysis.
cc Manage Covercrypt keys and policies. Rotate attributes. Encrypt and decrypt data
pqc Manage post-quantum keys (ML-KEM, ML-DSA, Hybrid KEM, SLH-DSA). Encapsulate, decapsulate, sign, and verify
certificates Manage certificates. Create, import, destroy and revoke. Encrypt and decrypt data
derive-key Derive a new key from an existing key
ec Manage elliptic curve keys. Encrypt and decrypt data using ECIES
google Manage google elements. Handle key pairs and identities from Gmail API
locate Locate cryptographic objects inside the KMS
login Login to the Identity Provider of the KMS server using the `OAuth2` authorization code flow.
logout Logout from the Identity Provider
hash Hash arbitrary data.
mac MAC utilities: compute or verify a MAC value.
rng RNG utilities: retrieve random bytes or seed RNG
server Server-related commands
rsa Manage RSA keys. Encrypt and decrypt data using RSA keys
opaque-object Create, import, export, revoke and destroy Opaque Objects
secret-data Create, import, export and destroy secret data
sym Manage symmetric keys. Encrypt and decrypt data
markdown Regenerate the CLI documentation in Markdown format
configure Configure the KMS CLI (create ckms.toml)
help Print this message or the help of the given subcommand(s)
Options:
-c, --conf-path <CONF_PATH>
Configuration file location
This is an alternative to the env variable `CKMS_CONF_PATH`. Takes precedence over `CKMS_CONF_PATH` env variable.
[env: CKMS_CONF_PATH=]
--url <URL>
The URL of the KMS
[env: KMS_DEFAULT_URL=]
--print-json
Output the KMS JSON KMIP request and response. This is useful to understand JSON POST requests and responses required to programmatically call the KMS on the `/kmip/2_1` endpoint
--accept-invalid-certs
Allow to connect using a self-signed cert or untrusted cert chain
`accept_invalid_certs` is useful if the CLI needs to connect to an HTTPS KMS server running an invalid or insecure SSL certificate
-H, --header <NAME: VALUE>
Add a custom HTTP header to every request sent to the KMS server.
The header must be specified in `"Name: Value"` format, matching the
curl `-H` / `--header` convention. This option may be repeated to add
multiple headers.
The environment variable `CLI_HEADER` may also be used; separate
multiple headers with a newline character.
Example: `--header "cf-access-token: <token>"`
[env: CLI_HEADER=]
--proxy-url <PROXY_URL>
The proxy URL:
- e.g., `https://secure.example` for an HTTP proxy
- e.g., `socks5://192.168.1.1:9000` for a SOCKS proxy
[env: CLI_PROXY_URL=]
--proxy-basic-auth-username <PROXY_BASIC_AUTH_USERNAME>
Set the Proxy-Authorization header username using Basic auth.
[env: CLI_PROXY_BASIC_AUTH_USERNAME=]
--proxy-basic-auth-password <PROXY_BASIC_AUTH_PASSWORD>
Set the Proxy-Authorization header password using Basic auth.
[env: CLI_PROXY_BASIC_AUTH_PASSWORD=]
--proxy-custom-auth-header <PROXY_CUSTOM_AUTH_HEADER>
Set the Proxy-Authorization header to a specified value.
[env: CLI_PROXY_CUSTOM_AUTH_HEADER=]
--proxy-exclusion-list <PROXY_EXCLUSION_LIST>
The No Proxy exclusion list to this Proxy
[env: CLI_PROXY_NO_PROXY=]
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version