Cloak KMS gives developers and security engineers key custody via REST API and MCP tools. Free and trial users start in a SoftHSM-backed software-key sandbox, so teams can test key generation, signing, rotation, and receipts without hardware — then try a smartcard HSM and move to YubiHSM 2, AWS CloudHSM, or your own BYO HSM for production custody. One processor routes each request to the right device. Need help choosing or integrating? We provide consultation and assistance for enterprises and businesses.
# Request { "algorithm": "ES256", "digest": "sha256:a3f9...", "key_id": "ck-prod-signing-01" } # Response — key stays inside the configured KMS boundary { "signature": "MEYCIQDx9n…", "key_ref": "ck-prod-signing-01", "algorithm": "ES256", "receipt": { "operation": "KEY_OPERATION", "timestamp": "2025-06-14T09:22Z", "signature": "eyJhbGci…" } }
Start in a software-key sandbox, test REST and MCP flows, then choose a smartcard HSM tutorial, BYO HSM, or a paid hosted HSM pilot when your threat model requires hardware.
Add KMS-backed key custody to your app with a single REST call. Rotate secrets on a schedule. Sign tokens and certificates without exposing the private key to your app. Every operation is audited.
Use the SoftHSM sandbox for evaluation, then move regulated workloads into BYO HSM or a paid hosted HSM pilot. Enforce least-privilege key access policies and keep a tamper-evident audit log of every key use.
Meet regulatory key custody requirements through BYO HSM integration or a paid hosted HSM pilot. Named account support and deployment planning are available for institutions that need a contractual custody path.
Operations run inside the configured key boundary: SoftHSM software tokens for free and trial users, or hardware HSM custody for BYO and hosted pilot deployments.
Generate RSA-2048/4096, ECDSA P-256/P-384, and AES-256 keys inside a SoftHSM sandbox or HSM-backed vault. Keys are assigned a stable key_id and are not returned as plaintext.
Pass a digest to POST /keys/{id}/sign and get a signature back. The signing operation happens inside the configured KMS boundary; your app never receives private key material.
Schedule automatic rotation on any key. The old key is retired after a configurable grace period. Re-encryption of dependent data is handled by the KMS — your app sees the same key_id.
Wrap your own data-encryption keys with a KMS-managed key encryption key (KEK). Store the wrapped DEK anywhere; in HSM deployments, the KEK stays inside the hardware boundary.
Each account's keys are logically isolated. Hosted HSM pilots can add dedicated hardware partitioning; BYO HSM deployments can keep the hardware boundary under your control.
Every key operation — create, sign, rotate, expire — returns a signed audit receipt. The kms-console shows a full operation table filterable by key, time range, and calling principal.
# Agent signs a document digest via KMS result = mcp.call_tool( "kms_sign", { "alias": "agent-signing-key", "keyId": "0101", "algorithm": "ECDSA_SHA_256", "digestHex": digest_hex } ) # Signature + signed receipt returned; key material is not returned sig = result["signatureBase64"] rcpt = result["receipt"] # JWS envelope, verifiable offline # Agent provisions a new key key = mcp.call_tool( "kms_create_masterkey", { "alias": "project-alpha-signing", "keyType": "ECC_SECP256R1", "keyUsage": "SIGN" } )
AI agents that sign artifacts, encrypt outputs, or issue credentials need their own key identity — and that identity needs to be auditable, scoped, and revocable. Cloak KMS gives every agent a named key in the software sandbox first, with BYO HSM and paid hosted HSM pilots available for hardware custody.
The MCP server exposes nine KMS primitives — list, read public key, create, delete, sign, verify, encrypt, decrypt, ECDH-derive — with scoped agent credentials per tool. See the full tool reference. Every state-changing agent action embeds a signed receipt for offline audit.
kms_create_masterkey — provision a KMS key (ECC, RSA, AES)kms_sign — sign a SHA-256 digest inside the configured key boundarykms_encrypt / kms_decrypt — bytes-level RSA-OAEP / AES-CBCFree users start in a software-key sandbox. Try a smartcard HSM on a capacity-limited, time-boxed trial. For production, choose YubiHSM 2, AWS CloudHSM, your own BYO HSM, or a paid hosted HSM pilot — the same API and receipts across every backend.
SoftHSM-backed trial keys
Guided hardware smartcard flow
Durable hardware custody
Pair Cloak KMS with Cloak Files to start with software-key trials, then move regulated file keys into BYO HSM or a paid hosted HSM pilot. Cloak Files handles file-level protection and receipts; KMS provides the custody path.
For developers & enterprises
Cloak KMS starts in a SoftHSM software-key sandbox, then supports smartcard HSM, YubiHSM 2, AWS CloudHSM, and BYO HSM custody. Building with it or evaluating for your organisation? Our team provides hands-on consultation and integration assistance.
The full KMS surface over OAuth2 — generate keys, sign, verify, encrypt, decrypt, manage keystores and policies. Best for first-party services and deep integrations (it's how Cloak Files uses KMS).
A self-service, least-privilege door for AI agents and scoped app integrations — owner-bound, TTL-limited, revocable credentials with sign / verify / encrypt / decrypt / key tools. No client provisioning needed.
For enterprises and businesses: device selection (smartcard / YubiHSM 2 / CloudHSM / BYO), PKCS#11 and deployment help, compliance questions, and integration support — talk to a real engineer, not a bot.
Tell us what you're building or evaluating — we'll help you choose the API, the HSM, and get you set up.
Free accounts start in a SoftHSM software-key sandbox. Try a smartcard HSM, move to YubiHSM 2, AWS CloudHSM, or BYO HSM for production — and book a consultation if your team wants integration help.
Governed by the OMMAU Charter — humans authorize, agents execute, receipts prove it.