Skip to content

Cosmian Command Line Interface (CLI)

KMS CLI is the Command Line Interface to drive KMS.

KMS CLI provides a powerful interface to manage and secure your cryptographic keys and secrets using the Cosmian Key Management System KMS. The KMS offers a high-performance, scalable solution with unique features such as confidential execution in zero-trust environments, compliance with KMIP 2.1, and support for various cryptographic algorithms and protocols.

Beyond the CLI interface, Cosmian also provides a PKCS#11 library (libcosmian_pkcs11.so) that enables seamless integration with existing cryptographic infrastructure. This library acts as a bridge between applications requiring PKCS#11 interfaces and the Cosmian KMS, providing:

  • Database Encryption Support: Integration with Oracle Database Transparent Data Encryption (TDE) for automatic encryption of data at rest, either through Oracle Key Vault or direct HSM communication
  • Disk Encryption Support: Compatible with popular disk encryption solutions including VeraCrypt, LUKS, and Cryhod for protecting data on storage devices

The PKCS#11 library enables organizations to leverage Cosmian’s advanced cryptographic capabilities while maintaining compatibility with their existing security infrastructure and workflows.

By leveraging KMS CLI, users can seamlessly integrate advanced cryptographic functionalities and secure search capabilities into their applications, enhancing data security and privacy.

Important

A Web UI version of the CLI is also available when installing the KMS server.

Info

Please download the latest versions for your Operating System from the Cosmian public packages repository See below for installation instructions.

Download package and install it:

On local machine
sudo apt update && sudo apt install -y wget
wget https://package.cosmian.com/kms/5.20.1/deb/amd64/non-fips/static/cosmian-kms-cli-non-fips-static-openssl_5.20.1_amd64.deb
sudo apt install ./cosmian-kms-cli-non-fips-static-openssl_5.20.1_amd64.deb
ckms --version

Download package and install it:

On local machine
sudo apt update && sudo apt install -y wget
wget https://package.cosmian.com/kms/5.20.1/deb/arm64/non-fips/static/cosmian-kms-cli-non-fips-static-openssl_5.20.1_arm64.deb
sudo apt install ./cosmian-kms-cli-non-fips-static-openssl_5.20.1_arm64.deb
ckms --version

Download package and install it:

On local machine
sudo dnf update && sudo dnf install -y wget
wget https://package.cosmian.com/kms/5.20.1/rpm/amd64/non-fips/static/cosmian-kms-cli-non-fips-static-openssl_5.20.1_x86_64.rpm
sudo dnf install ./cosmian-kms-cli-non-fips-static-openssl_5.20.1_x86_64.rpm
ckms --version

Download package and install it:

On local machine
sudo dnf update && sudo dnf install -y wget
wget https://package.cosmian.com/kms/5.20.1/rpm/arm64/non-fips/static/cosmian-kms-cli-non-fips-static-openssl_5.20.1_aarch64.rpm
sudo dnf install ./cosmian-kms-cli-non-fips-static-openssl_5.20.1_aarch64.rpm
ckms --version

Download the DMG installer and install it:

On local machine
wget https://package.cosmian.com/kms/5.20.1/dmg/arm64/non-fips/static/cosmian-kms-cli-non-fips-static-openssl-5.20.1_arm64.dmg
sudo hdiutil attach cosmian-kms-cli-non-fips-static-openssl-5.20.1_arm64.dmg
sudo installer -pkg /Volumes/cosmian-kms-cli/cosmian-kms-cli.pkg -target /
hdiutil detach /Volumes/cosmian-kms-cli
ckms --version

On Windows, download the installer:

Build archive
 https://package.cosmian.com/kms/5.20.1/windows/x86_64/non-fips/static-openssl/cosmian-kms-cli-non-fips-static-openssl_5.20.1_x86_64.exe

Run the installer and add the installation directory to your PATH, then run:

On local machine
ckms --version

Configuration

To communicate with the KMS, the clients ckms expect the same configuration file. Please read the configuration section.

Usage

Usage

Command Line Interface used to manage the Cosmian KMS server.

If any assistance is needed, please either visit the Cosmian technical documentation at https://docs.cosmian.com
or contact the Cosmian support team on Discord https://discord.com/invite/7kPMNtHpnz


Usage: ckms [OPTIONS] <COMMAND>

Commands:
  access-rights  Manage the users' access rights to the cryptographic objects
  attributes     Get/Set/Delete/Modify the KMIP object attributes
  azure          Support for Azure specific interactions
  aws            Support for AWS specific interactions
  bench          Run benchmarks using criterion for statistical analysis.
  cc             Manage Covercrypt keys and policies. Rotate attributes. Encrypt and decrypt data
  pqc            Manage post-quantum keys (ML-KEM, ML-DSA, Hybrid KEM, SLH-DSA). Encapsulate, decapsulate, sign, and verify
  certificates   Manage certificates. Create, import, destroy and revoke. Encrypt and decrypt data
  derive-key     Derive a new key from an existing key
  ec             Manage elliptic curve keys. Encrypt and decrypt data using ECIES
  google         Manage google elements. Handle key pairs and identities from Gmail API
  locate         Locate cryptographic objects inside the KMS
  login          Login to the Identity Provider of the KMS server using the `OAuth2` authorization code flow.
  logout         Logout from the Identity Provider
  hash           Hash arbitrary data.
  mac            MAC utilities: compute or verify a MAC value.
  rng            RNG utilities: retrieve random bytes or seed RNG
  server         Server-related commands
  rsa            Manage RSA keys. Encrypt and decrypt data using RSA keys
  opaque-object  Create, import, export, revoke and destroy Opaque Objects
  secret-data    Create, import, export and destroy secret data
  sym            Manage symmetric keys. Encrypt and decrypt data
  markdown       Regenerate the CLI documentation in Markdown format
  configure      Configure the KMS CLI (create ckms.toml)
  help           Print this message or the help of the given subcommand(s)

Options:
  -c, --conf-path <CONF_PATH>
          Configuration file location

          This is an alternative to the env variable `CKMS_CONF_PATH`. Takes precedence over `CKMS_CONF_PATH` env variable.

          [env: CKMS_CONF_PATH=]

      --url <URL>
          The URL of the KMS

          [env: KMS_DEFAULT_URL=]

      --print-json
          Output the KMS JSON KMIP request and response. This is useful to understand JSON POST requests and responses required to programmatically call the KMS on the `/kmip/2_1` endpoint

      --accept-invalid-certs
          Allow to connect using a self-signed cert or untrusted cert chain

          `accept_invalid_certs` is useful if the CLI needs to connect to an HTTPS KMS server running an invalid or insecure SSL certificate

  -H, --header <NAME: VALUE>
          Add a custom HTTP header to every request sent to the KMS server.

          The header must be specified in `"Name: Value"` format, matching the
          curl `-H` / `--header` convention. This option may be repeated to add
          multiple headers.

          The environment variable `CLI_HEADER` may also be used; separate
          multiple headers with a newline character.

          Example: `--header "cf-access-token: <token>"`

          [env: CLI_HEADER=]

      --proxy-url <PROXY_URL>
          The proxy URL:
            - e.g., `https://secure.example` for an HTTP proxy
            - e.g., `socks5://192.168.1.1:9000` for a SOCKS proxy

          [env: CLI_PROXY_URL=]

      --proxy-basic-auth-username <PROXY_BASIC_AUTH_USERNAME>
          Set the Proxy-Authorization header username using Basic auth.

          [env: CLI_PROXY_BASIC_AUTH_USERNAME=]

      --proxy-basic-auth-password <PROXY_BASIC_AUTH_PASSWORD>
          Set the Proxy-Authorization header password using Basic auth.

          [env: CLI_PROXY_BASIC_AUTH_PASSWORD=]

      --proxy-custom-auth-header <PROXY_CUSTOM_AUTH_HEADER>
          Set the Proxy-Authorization header to a specified value.

          [env: CLI_PROXY_CUSTOM_AUTH_HEADER=]

      --proxy-exclusion-list <PROXY_EXCLUSION_LIST>
          The No Proxy exclusion list to this Proxy

          [env: CLI_PROXY_NO_PROXY=]

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

© Copyright 2018-2024 Cosmian. All rights reserved.