Cloak KMS · software-key sandbox with multi-HSM custody paths

Start with SoftHSM keys.
Move to hardware custody when ready.

Cloak KMS gives developers and security engineers key custody via REST API and MCP tools. Free and trial users start in a SoftHSM-backed software-key sandbox, so teams can test key generation, signing, rotation, and receipts without hardware — then try a smartcard HSM and move to YubiHSM 2, AWS CloudHSM, or your own BYO HSM for production custody. One processor routes each request to the right device. Need help choosing or integrating? We provide consultation and assistance for enterprises and businesses.

SoftHSM2 sandbox Smartcard HSM YubiHSM 2 AWS CloudHSM BYO HSM
SoftHSM sandbox included Smartcard HSM trial by request Signed receipt per key operation
POST /keys/{id}/sign 200 OK
# Request
{
  "algorithm": "ES256",
  "digest":    "sha256:a3f9...",
  "key_id":    "ck-prod-signing-01"
}

# Response — key stays inside the configured KMS boundary
{
  "signature": "MEYCIQDx9n…",
  "key_ref":   "ck-prod-signing-01",
  "algorithm": "ES256",
  "receipt": {
    "operation":  "KEY_OPERATION",
    "timestamp":  "2025-06-14T09:22Z",
    "signature":  "eyJhbGci…"
  }
}
Operation executed inside configured KMS boundary · private key not returned

Built for engineers who need a path from sandbox to hardware custody

Start in a software-key sandbox, test REST and MCP flows, then choose a smartcard HSM tutorial, BYO HSM, or a paid hosted HSM pilot when your threat model requires hardware.

Developers & DevSecOps

Add KMS-backed key custody to your app with a single REST call. Rotate secrets on a schedule. Sign tokens and certificates without exposing the private key to your app. Every operation is audited.

  • Secrets management via API
  • Automatic key rotation
  • PKCS#11 / REST / MCP

Security Engineers & CISOs

Use the SoftHSM sandbox for evaluation, then move regulated workloads into BYO HSM or a paid hosted HSM pilot. Enforce least-privilege key access policies and keep a tamper-evident audit log of every key use.

  • BYO or hosted HSM pilot
  • Compliance-ready audit log
  • Role-based key access (Keycloak)

Enterprise & Financial Institutions

Meet regulatory key custody requirements through BYO HSM integration or a paid hosted HSM pilot. Named account support and deployment planning are available for institutions that need a contractual custody path.

  • MAS TRM / PDPA ready
  • Hosted HSM pilot available
  • Contractual SLA + account manager

Every cryptographic operation you need

Operations run inside the configured key boundary: SoftHSM software tokens for free and trial users, or hardware HSM custody for BYO and hosted pilot deployments.

Key generation & storage

Generate RSA-2048/4096, ECDSA P-256/P-384, and AES-256 keys inside a SoftHSM sandbox or HSM-backed vault. Keys are assigned a stable key_id and are not returned as plaintext.

Sign & verify

Pass a digest to POST /keys/{id}/sign and get a signature back. The signing operation happens inside the configured KMS boundary; your app never receives private key material.

Key rotation

Schedule automatic rotation on any key. The old key is retired after a configurable grace period. Re-encryption of dependent data is handled by the KMS — your app sees the same key_id.

Envelope encryption

Wrap your own data-encryption keys with a KMS-managed key encryption key (KEK). Store the wrapped DEK anywhere; in HSM deployments, the KEK stays inside the hardware boundary.

Multi-tenant key isolation

Each account's keys are logically isolated. Hosted HSM pilots can add dedicated hardware partitioning; BYO HSM deployments can keep the hardware boundary under your control.

Operation receipts & audit log

Every key operation — create, sign, rotate, expire — returns a signed audit receipt. The kms-console shows a full operation table filterable by key, time range, and calling principal.

mcp_agent.py MCP tool call
# Agent signs a document digest via KMS
result = mcp.call_tool(
  "kms_sign",
  {
    "alias":     "agent-signing-key",
    "keyId":     "0101",
    "algorithm": "ECDSA_SHA_256",
    "digestHex": digest_hex
  }
)

# Signature + signed receipt returned; key material is not returned
sig  = result["signatureBase64"]
rcpt = result["receipt"]   # JWS envelope, verifiable offline

# Agent provisions a new key
key = mcp.call_tool(
  "kms_create_masterkey",
  {
    "alias":    "project-alpha-signing",
    "keyType":  "ECC_SECP256R1",
    "keyUsage": "SIGN"
  }
)
MCP-native · agent credential management

Your agents need keys too

AI agents that sign artifacts, encrypt outputs, or issue credentials need their own key identity — and that identity needs to be auditable, scoped, and revocable. Cloak KMS gives every agent a named key in the software sandbox first, with BYO HSM and paid hosted HSM pilots available for hardware custody.

The MCP server exposes nine KMS primitives — list, read public key, create, delete, sign, verify, encrypt, decrypt, ECDH-derive — with scoped agent credentials per tool. See the full tool reference. Every state-changing agent action embeds a signed receipt for offline audit.

  • kms_create_masterkey — provision a KMS key (ECC, RSA, AES)
  • kms_sign — sign a SHA-256 digest inside the configured key boundary
  • kms_encrypt / kms_decrypt — bytes-level RSA-OAEP / AES-CBC
  • Per-agent credential scopes; revoke or rotate instantly
Read the agent integration guide →

Choose your key custody path

Free users start in a software-key sandbox. Try a smartcard HSM on a capacity-limited, time-boxed trial. For production, choose YubiHSM 2, AWS CloudHSM, your own BYO HSM, or a paid hosted HSM pilot — the same API and receipts across every backend.

Free Software Sandbox
$0/mo

SoftHSM-backed trial keys

  • Software-token key operations
  • REST + MCP API access
  • Signed receipts and audit log
  • Strict limits; not production custody
Start free sandbox →
Tutorial Trial
Smartcard HSM
By request

Guided hardware smartcard flow

  • Hardware smartcard HSM tutorial
  • Capacity-limited, time-boxed trial
  • PKCS#11 setup guidance
  • Best for evaluation and training
Request trial →
Production HSM
YubiHSM · CloudHSM · BYO

Durable hardware custody

  • YubiHSM 2 — compact dedicated HSM
  • AWS CloudHSM — FIPS 140-2/3 cluster
  • Bring your own HSM (PKCS#11)
  • Hosted HSM pilot, policy & SLA path
Talk to sales →
Better together

Add Cloak Files for a hardware custody path

Pair Cloak KMS with Cloak Files to start with software-key trials, then move regulated file keys into BYO HSM or a paid hosted HSM pilot. Cloak Files handles file-level protection and receipts; KMS provides the custody path.

Explore Cloak Files →

For developers & enterprises

Build KMS-backed crypto in — with help when you need it

Cloak KMS starts in a SoftHSM software-key sandbox, then supports smartcard HSM, YubiHSM 2, AWS CloudHSM, and BYO HSM custody. Building with it or evaluating for your organisation? Our team provides hands-on consultation and integration assistance.

REST API

The full KMS surface over OAuth2 — generate keys, sign, verify, encrypt, decrypt, manage keystores and policies. Best for first-party services and deep integrations (it's how Cloak Files uses KMS).

MCP endpoint

A self-service, least-privilege door for AI agents and scoped app integrations — owner-bound, TTL-limited, revocable credentials with sign / verify / encrypt / decrypt / key tools. No client provisioning needed.

Consultation & assistance

For enterprises and businesses: device selection (smartcard / YubiHSM 2 / CloudHSM / BYO), PKCS#11 and deployment help, compliance questions, and integration support — talk to a real engineer, not a bot.

Book a consultation →

Tell us what you're building or evaluating — we'll help you choose the API, the HSM, and get you set up.

Start in the KMS sandbox today

Free accounts start in a SoftHSM software-key sandbox. Try a smartcard HSM, move to YubiHSM 2, AWS CloudHSM, or BYO HSM for production — and book a consultation if your team wants integration help.

Governed by the OMMAU Charter — humans authorize, agents execute, receipts prove it.