Key Management Service

New

Key Management Service

Secure your data across all your OVHcloud services and applications from one central place. A fully managed encryption service.

Key Management Service KMS Main Illustration

➡️ Discover our new Key Management Service

The OVHcloud KMS is a managed service designed to:

  • Protect your data within your OVHcloud services and applications via encryption techniques fully managed by OVHcloud.
  • Securely generate and store your encryption keys. You can use them either for your OVHcloud services, or for your own applications without worrying to have them stolen, tampered or lost.

OVHcloud releases its own KMS, with two options to consume encryptions keys:

  • OMK (OVHcloud Managed Keys): a one-click encryption service for your eligible OVHcloud services without the hassle of having to manage any encryption keys.
  • CMK (Customer Managed Keys): a secure storage for your encryption keys whether you import your own or use those generated by OVHcloud.  It provides complete management of the key lifecycle for the customers, compatible both within and outside OVHcloud services, and is accessible via a REST API or a KMIP API.

To ensure complete reversibility of your services, OVHcloud KMS provides a KMIP (Key Management Interoperability Protocol) API. With the KMIP API, you can reuse your encryption keys from the OVHcloud KMS in any non-OVHcloud services supporting this protocol. Additionally, you can seamlessly transfer your encryption keys to another KMIP-compatible KMS without disrupting your application integrations.

🛠️ How it works?

OVHcloud KMS is designed to generate, import (BYOK - Bring your own key), store and revoke:

  • Symmetric keys of 128, 192 and 256 bits
  • Asymmetric keys using
    • RSA-2048, RSA-3072 or RSA-4096
    • Elliptic curve keys using EC-256, EC-384, EC-521 with curves values P-256, P-384, P-521

Access to the keys is controlled by the OVHcloud IAM to assure only the authorised persons or applications can have access. To assure the quality and the security of the OVHcloud KMS, we have already started the process to have it certified ISO27001 and FIPS 140-2 level 2.

OVHcloud Key Management Service HLD.png

Access control is based on OVHcloud IAM to assure than only the necessary users or applications can access to the encryption keys. And all monitoring logs will be handled by our Logs Data Platform service.

🔑 OMK: OVHcloud Managed Keys

With OVHcloud Managed Keys (OMK) you don't have to manage encryption key lifecycle. It is end-to-end managed by OVHcloud so that you just have to activate with one-click the encryption of your data for your corresponding OVHcloud services and applications. This is the simplest way to secure your data.

OMK for Object Storage

The first use case available with the OVHcloud KMS is OMK for Object Storage to enable the SSE-S3 option on the S3 protocol. When enabling this option, OVHcloud automatically generates and manage an encryption key to encrypt/decrypt your data for your OVHcloud service, without additional configurations from customer side.

🔑 CMK: Customer Managed Keys

The Customer Managed Keys (CMK) are encryption keys completely managed by you. OVHcloud KMS can generate encryption keys for you or you can import your own encryption keys (BYOK - Bring Your Own Key).

Those encryption keys can be used either:

  • With a one-click integration within OVHcloud services (such as Object Storage or Hosted Private Cloud for example). Encryption keys handled by OVHcloud KMS are used to encrypt/decrypt your data within your OVHcloud services but you keep control of the their lifecycle (use, rotation, revocation...).
  • Or inside customer's own applications with a dedicated REST API or KMIP API to:
    • Encrypt/decrypt data on KMS for small data using AES-GCM or locally using a derived data key
    • Sign or Verify on KMS using ECDSA SHA-256, SHA-384 and SHA-512 or RSA with PKCS1 padding SHA-256, SHA-384 and SHA-512 or Verify locally using a public key.

🚀 Try it now!

Want to be notified when the beta of KMS-CMK will be ready?

Try it now!

📊 OMK / CMK comparison table

 OMK (OVHcloud Managed Key)CMK (Customer Managed Key)
Use in OVHcloud eligible servicesYesYes
Use in external applicationsn/aYes via a REST API or a KMIP API
Key lifecycle managementn/a (Managed by OVHcloud)Yes (creation, rotation, revocation...)
Access managementn/aYes with OVHcloud lAM
Logs accessn/aYes with OVHcloud Logs Data Platform
Bring Your Own keyn/aYes
Key types
  • Symmetric keys of 128, 192 and 256 bits
  • Asymmetric keys using:
    • RSA-2048, RSA-3072 or RSA-4096
    • Elliptic curve keys using EC-256, EC-384, EC-521 with curves values P-256, P-384, P-521

🔮 Future evolutions

There is already identified features that will be cover by a future version of OVHcloud KMS

  • Secret management to allow you to securely store and manage secrets instead of encryption keys
  • HSM-based (Hardware Security Module) keys for a higher security level for your most sensitive keys storage

The roadmap of the OVHcloud KMS is available on the OVHcloud Github page.

🙋 FAQ

Will the beta be charged?

No, the OVHcloud KMS beta service will be accessible at no additional cost.

What are the certifications planned for the KMS?

OVHcloud started the process to pass the ISO27001 and the FIPS 140-2 certifications

Could I use the OVHcloud KMS for my production data?

The OVHcloud KMS, once available in beta, will be deployed with the expected quality and security of the final version. But, OVHcloud cannot assure the keys stored inside the OVHcloud KMS may not be lost during the beta.

  • Alpha
  • Beta
  • General Availability