The Cosmian KMS is a high-performance, source available, FIPS 140-3 compliant server application written in Rust with unique capabilities.
- High-performance: Delivers encryption and decryption services at up to millions of operations per second, with master keys held in a secure HSM-backed environment.
- Flexible pricing: Per-CPU pricing with no hidden costs, all connectors are included; deploying any number of servers.
- Runs securely in public clouds: or zero-trust environments using Cosmian VMs available on Azure, GCP, and AWS marketplaces. See our deployment guide.
- FIPS 140-3 mode
- KMIP support (versions 1.0-1.4, 2.0-2.1) in both binary and JSON formats - see KMIP documentation
- HSM support for Trustway Proteccio & Crypt2Pay, Utimaco general purpose, Nitrokey HSM 2, Smartcard HSMs, etc. with KMS keys wrapped by the HSM
- Developed in Rust, a memory safe language, with the source code available on GitHub
- 100% developed in the European Union
- Source Available server application written in Rust
- Full-featured Web UI with client command line and graphical interface
- Advanced authentication mechanisms
- High-availability mode with simple horizontal scaling
- Multi-language client support: Python, JavaScript, Dart, Rust, C/C++, and Java (see the
cloudprooflibraries on Cosmian GitHub) - Advanced logging with OpenTelemetry
- Cloud integrations:
- Azure BYOK
- GCP CSEK and Google CMEK
- ...
- Workplace security:
- Transparent data encryption:
- Veracrypt
- LUKS
- VMware
- Oracle Database TDE,
- MongoDB,
- PostgreSQL
- and more
- Big Data encryption:
The Cosmian KMS combines the functions of a Key Management System, an Encryption Oracle, and a Public Key Infrastructure:
- Key Management System: Manages the full key lifecycle, including on-the-fly generation and revocation, including for connected HSMs.
- Encryption Oracle: Provides high-availability, high-scalability encryption and decryption operations at millions of operations per second with HSM-backed security.
- PKI: Manages root and intermediate certificates, signs and verifies certificates, and uses public keys for encryption/decryption. Certificates can be exported in various formats (including PKCS#12) for applications like S/MIME encrypted emails.
The Cosmian KMS supports all standard NIST cryptographic algorithms as well as advanced post-quantum cryptography algorithms like Covercrypt. See the complete supported algorithms list.
The Cosmian KMS is available as:
- Linux packages: Debian or RPM
- Windows installer: Windows
- macOS installer: macOS
- Docker: Standard image and FIPS image
The Cosmian KMS includes an intuitive graphical user interface (GUI) with support for client certificate and OIDC token authentication.
The Cosmian CLI provides a powerful command-line interface for managing the server, handling keys, and performing encryption/decryption operations. It features integrated help and is available for multiple operating systems.
The Cosmian CLI is packaged as:
- Debian or RPM package
- Pre-built binaries for Linux, Windows, and macOS