The Cosmian KMS is a high-performance, open-source, FIPS 140-3 compliant server application written in Rust with unique capabilities.
- High-performance: Delivers encryption and decryption services at up to millions of operations per second, close to the applications that use it, while keeping keys in a secure HSM-backed environment.
- Flexible pricing: Per-CPU pricing with no hidden costs for deploying any number of servers.
- Confidential computing: Runs securely in public clouds or zero-trust environments via Cosmian VM. Available on Azure, GCP, and AWS marketplaces - see our deployment guide.
- FIPS 140-3 mode (gated behind the feature
fips) - Full KMIP support (versions 1.0-1.4, 2.0-2.1) in both binary and JSON formats - see KMIP documentation
- HSM support for Trustway Proteccio and Utimaco general purpose HSMs with KMS keys wrapped by the HSM
- 100% developed in the European Union
- Open-source server application written in Rust
- Full-featured Web UI with client command line and graphical interface
- Advanced authentication mechanisms
- High-availability mode with simple horizontal scaling
- Multi-language client support: Python, JavaScript, Dart, Rust, C/C++, and Java (see the
cloudprooflibraries on Cosmian GitHub) - Advanced logging with OpenTelemetry
- Cloud collaboration security:
- Disk encryption:
- Enterprise integrations with VMware, Oracle Database TDE, and more
The Cosmian KMS combines the functions of a Key Management System, an Encryption Oracle, and a Public Key Infrastructure:
- Key Management System: Manages the full key lifecycle, including on-the-fly generation and revocation, including for connected HSMs.
- Encryption Oracle: Provides high-availability, high-scalability encryption and decryption operations at millions of operations per second with HSM-backed security.
- PKI: Manages root and intermediate certificates, signs and verifies certificates, and uses public keys for encryption/decryption. Certificates can be exported in various formats (including PKCS#12) for applications like S/MIME encrypted emails.
The Cosmian KMS supports all standard NIST cryptographic algorithms as well as advanced post-quantum cryptography algorithms like Covercrypt. See the complete supported algorithms list.
The Cosmian KMS is available as:
- Package: Debian or RPM
- Docker: Standard image and FIPS image
- Pre-built binaries for Linux, Windows, and macOS
The Cosmian KMS includes an intuitive graphical user interface (GUI) with support for client certificate and OIDC token authentication.
The Cosmian CLI provides a powerful command-line interface for managing the server, handling keys, and performing encryption/decryption operations. It features integrated help and is available for multiple operating systems.
The Cosmian CLI is packaged as:
- Debian or RPM package
- Pre-built binaries for Linux, Windows, and macOS
Note: ckms has been replaced by Cosmian CLI to manage other Cosmian products.