cryptpilot supports multiple key provider types through modular design. Key providers determine how encryption keys are obtained and managed for encrypted volumes.
Special provider that generates a random password on each open. Suitable for temporary/volatile storage.
Important
OTP volumes are wiped on each open. Data is NOT persistent across reboots.
Configuration:
[encrypt.otp]No additional fields required.
Use cases:
- Temporary scratch space
- Swap partitions
- Cache directories
- Any volatile data storage
Supported by: cryptpilot-crypt only (not available for FDE rootfs/data volumes)
Template: otp.toml.template
Fetches keys from Key Broker Service (KBS) using Remote Attestation.
Configuration:
Two modes are supported (cdh_type is optional, defaults to one-shot):
1. One-shot mode (Default)
Invokes the confidential-data-hub binary to fetch keys.
[encrypt.kbs]
# cdh_type = "one-shot"
kbs_url = "https://kbs.example.com"
key_uri = "kbs:///default/mykey/volume_data0"
# Optional: HTTPS Root CA certificate (PEM format)
# kbs_root_cert = "-----BEGIN CERTIFICATE-----..."2. Daemon mode Connects to a running CDH daemon via ttrpc.
[encrypt.kbs]
cdh_type = "daemon"
key_uri = "kbs:///default/mykey/volume_data0"
# Optional: Custom socket path
# cdh_socket = "unix:///run/confidential-containers/cdh.sock"Use cases:
- Production workloads requiring attestation
- Multi-tenant environments
- Compliance-sensitive data
- Confidential VM boot verification
Supported by: cryptpilot-fde, cryptpilot-crypt
Template: kbs.toml.template
Fetches keys from Alibaba Cloud KMS using Access Key authentication.
Configuration:
[encrypt.kms]
kms_instance_id = "kst-****"
client_key_id = "LTAI****"
client_key_password_from_kms = "alias/ClientKey_****"Use cases:
- Cloud-managed key lifecycle
- Centralized key management
- Integration with Alibaba Cloud services
Supported by: cryptpilot-fde, cryptpilot-crypt
Template: kms.toml.template
Fetches keys from Alibaba Cloud KMS using OIDC authentication.
Allows configuring an external program to provide the OIDC token. cryptpilot executes this program and uses the token to authenticate with KMS.
Configuration:
[encrypt.oidc]
kms_instance_id = "kst-****"
client_key_password_from_kms = "alias/ClientKey_****"
[encrypt.oidc.oidc_token_from_exec]
command = "/usr/bin/get-oidc-token"
args = []Use cases:
- Federated identity integration
- No static credentials on instance
- Short-lived token authentication
Supported by: cryptpilot-fde, cryptpilot-crypt
Template: oidc.toml.template
Executes an external program and uses its stdout as the encryption key.
Note
The program's stdout is used directly as the key without trimming or processing. Ensure there are no extra characters (newlines, spaces, etc).
Configuration:
[encrypt.exec]
command = "echo"
args = ["-n", "MySecretPassword"]Use cases:
- Custom key derivation logic
- Integration with proprietary key management
- Testing and development
Supported by: cryptpilot-fde, cryptpilot-crypt
Template: exec.toml.template
Warning
The exec provider is mainly for testing. Use KBS, KMS, or OIDC in production.
| Provider | Attestation | Cloud-Native | Hardware-Bound | Persistent | Use Case |
|---|---|---|---|---|---|
| OTP | ❌ | ❌ | ❌ | ❌ | Temporary/volatile storage |
| KBS | ✅ | ✅ | ❌ | ✅ | Production with attestation |
| KMS | ❌ | ✅ | ❌ | ✅ | Cloud key management |
| OIDC | ❌ | ✅ | ❌ | ✅ | Federated identity |
| Exec | ❌ | ❌ | ❌ | ✅ | Testing/custom logic |
- FDE Configuration Guide - Full disk encryption configuration
- Volume Configuration Guide - Data volume encryption configuration
- Development Guide - Build and test instructions