1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
## Cosmian KMS configuration file
# This file contains the configuration for the Cosmian KMS server.
# See Documentation at https://docs.cosmian.com/key_management_system/server_configuration_file/
# The default username to use when no authentication method is provided.
= "admin"
# When an authentication method is provided, perform the authentication
# but always use the default username instead of the one provided by the authentication method
= false
# This setting enables the Microsoft Double Key Encryption service feature on this server.
# It should contain the external URL of this server as configured in Azure App Registrations
# as the DKE Service (<https://learn.microsoft.com/en-us/purview/double-key-encryption-setup#register-your-key-store>)
# The URL should be something like <https://cse.my_domain.com/ms_dke>
## ms_dke_service_url = "<ms dke service url>"
# This setting defines the public URL where the KMS is accessible (e.g., behind a proxy).
# It is used :
# - during the authentication flow initiated from the KMS UI. See the [ui_config] section below.
# - for cse endpoints: it is required if Google CSE configuration is activated ;
# If this server is running on the domain `cse.my_domain.com` with this public URL,
# The configured URL from Google admin should be something like <https://cse.my_domain.com/google_cse>
## kms_public_url = "kms-public-url"
# Print the server configuration information and exit
= false
# The following fields are only needed if an HSM is used.
# Check the HSMs documentation pages for more information.
= "softhsm2"
= "admin" # for Create operation on HSM
= [63715018]
= ["12345678"]
# Force all newly created and imported keys to be wrapped by the key specified in this field.
# This is most useful to ensure that an HSM key wraps all keys in the KMS database.
# Note: This setting is ignored when a key is imported in JSON TTLV format and is already wrapped.
## key_encryption_key = "kek ID"
# Specifies which KMIP object types should be automatically unwrapped when retrieved.
# Repeat this option to specify multiple object types.
# Allowed values: All, Certificate, CertificateRequest, OpaqueObject, PGPKey, PrivateKey, PublicKey, SecretData, SplitKey, SymmetricKey
# Example:
## default_unwrap_type = ["SecretData", "SymmetricKey"]
# All users can create and import objects in the KMS by default.
# Only these users can create and import objects when this setting contains a user ID list.
## privileged_users = ["<user_id_1>", "<user_id_2>"]
# Check the database configuration documentation pages for more information
[]
= "sqlite"
## database_url = "<database-url>"
## sqlite_path = "<sqlite-path>"
## redis_master_password = "<redis master password>"
## redis_findex_label = "<redis findex label>"
# Clear the database at startup. WARNING: This will delete all objects in the database.
= false
# When a wrapped object is fetched from the database,
# it is unwrapped and stored in the unwrapped cache.
# This option specifies the maximum age in minutes of the unwrapped objects in the cache
# after its last use.
# The default is 15 minutes.
# About 2/3 of the objects will be evicted after this time; the other 1/3 will be evicted
# after a maximum of 150% of the time.
= 15 # minutes
# TLS configuration of the Socket server and HTTP server
[]
# The KMS server's optional PKCS#12 Certificates and Key file.
# If provided, this will start the server in HTTPS mode.
## tls_p12_file = "[tls p12 file]"
# The password to open the PKCS#12 certificates and key file.
## tls_p12_password = "[tls p12 password]"
# The server's optional authority X509 certificate in PEM format
# used to validate the client certificate presented for authentication.
# If provided, clients must present a certificate signed by this authority for authentication.
# The server must run in TLS mode for this to be used.
## clients_ca_cert_file = "[authority cert file]"
# The socket server listens to KMIP binary requests on the IANA-registered 4696 port.
# The socket server will only start if the TLS configuration is provided **and** client certificate authentication
# is enabled.
[]
# Start the socket server. See comments above on conditions for starting the server.
## socket_server_start = false
# The socket server port - defaults to 5696
## socket_server_port = 5696
# The socket server hostname - defaults to "0.0.0.0"
## socket_server_hostname = "0.0.0.0"
# The HTTP server listens to KMIP requests on the /kmip and /kmip/2_1 endpoints.
# It also serves the web UI on the /ui endpoint.
# If the TLS configuration is provided, the server will start in HTTPS mode.
[]
# The KMS server port - defaults to 9998
= 9998
# The KMS server hostname - defaults to 0.0.0.0
= "0.0.0.0"
# If using a forward proxy for outbound JWKS requests,
# set the proxy parameters here.
[]
# The URL of the proxy server, including the protocol and port.
# - e.g., "https://secure.example" for an HTTP proxy
# - e.g., "socks5://192.168.1.1:9000" for a SOCKS proxy
## proxy_url = "https://proxy.example.com:8080"
# The username to use for basic authentication with the proxy server.
## proxy_basic_auth_username = "[proxy username]"
# The password to use for basic authentication with the proxy server.
## proxy_basic_auth_password = "[proxy password]"
# Use a custom proxy authentication header instead of the standard Basic authentication.
## proxy_custom_auth_header = "my_custom_auth_token"
# The list of domains to exclude from the proxy.
## proxy_exclusion_list = ["domain1", "domain2"]
# Check the Authenticating Users documentation pages for more information.
[]
# JWT authentication provider configuration
# Each provider configuration should be in the format: "JWT_ISSUER_URI,JWKS_URI,JWT_AUDIENCE" where:
# - JWT_ISSUER_URI: The issuer URI of the JWT token (required)
# - JWKS_URI: The JWKS (JSON Web Key Set) URI (optional; defaults to <JWT_ISSUER_URI>/.well-known/jwks.json if empty or omitted)
# - JWT_AUDIENCE: The audience of the JWT token (optional; can be empty)
# Examples:
# - "https://accounts.google.com,https://www.googleapis.com/oauth2/v3/certs,my-audience"
# - "https://auth0.example.com,,my-app" (JWKS URI will default)
# - "https://keycloak.example.com/auth/realms/myrealm,," (no audience, JWKS URI will default)
# This array can contain multiple identity provider configurations. Duplicate configurations are deduplicated; last wins.
# jwt_auth_provider = [
# "https://accounts.google.com,https://www.googleapis.com/oauth2/v3/certs,my-audience",
# "https://auth0.example.com,,my-app",
# "https://keycloak.example.com/auth/realms/myrealm,,"
# ]
[]
# The root folder where the KMS will store its data
# A relative path is taken relative to the user's HOME directory
## root_data_path = "./cosmian-kms"
# The folder to store temporary data (non-persistent data readable
# by no one but the current instance during the current execution)
## tmp_path = "/tmp"
# Check the logging documentation pages for more information
[]
# The log level of the KMS server. This is an alternative to the `RUST_LOG` environment variable.
= "info,cosmian_kms=debug"
# The Open Telemetry OTLP collector URL.
## otlp = "http://localhost:4317"
# If set to true, the KMS server will not output logs to stdout. Telemetry will still be sent to the OTLP collector,
# if configured.
= false
# If set to true, the KMS server will log to syslog instead of stdout.
= false
# If set, daily rolling logs will be written to the specified directory
# using the name specified by `rolling_log_name`: <rolling_log_name>.YYYY-MM-DD.
## rolling_log_dir = "path_to_logging_directory"
# If `rolling_log_dir` is set, this is the name of the rolling log file:
# <rolling_log_name>.YYYY-MM-DD.
# Defaults to "kms" if not set.
## rolling_log_name = "kms"
# The Telemetry will also contain metering and tracing events if set to true.
## enable_metering = false
# When using telemetry, this setting will show the KMS environment: "production", "development", "staging", "testing"...
## environment = "development"
# Enable ANSI colors in the logs to stdout
= false
# Generic configuration to edit the path to static UI application files
# To use the Web UI, ensure the `kms_public_url` is set to the correct public URL above.
[]
= "/usr/local/cosmian/ui/dist"
# Configuration for the handling of authentication with OIDC from the KMS UI.
# This is used to authenticate users when they access the KMS UI.
# The same Identity Provider must **also** be configured in the [idp_auth] section above.
[]
## ui_oidc_client_id = "<client id>"
## ui_oidc_client_secret = "<client secret>" (optional)
## ui_oidc_issuer_url = "<issuer-url>"
## ui_oidc_logout_url = "<logout-url>"
[]
# This setting turns on endpoints, handling Google CSE feature
= false
# This setting disables the validation of the tokens used by the Google Workspace CSE feature of this server
# Useful for testing purposes
## google_cse_disable_tokens_validation = false
# This setting contains the list of KACLS server URLs that can access this server for Google CSE migration, through
# the privilegedunwrap endpoint (used to fetch exposed jwks on server start)
## google_cse_incoming_url_whitelist = ["[kacls_url_1]", "[kacls_url_2]"]
# PEM PKCS8 RSA private key used to ensure consistency of certificate handling and privileged unwrap operations
# across server restarts and multiple server instances. If not provided, a random key will be generated at server startup.
## google_cse_migration_key = "<google_cse_existing_migration_key>"