Technical reference

Cloak KMS specifications

HSM-backed key custody, cryptographic operations, APIs, deployment tiers, and compliance posture. ** The supported key types and algorithms is dependent on the HSM device.

🔑

Key types & algorithms

Asymmetric keys
RSA-2048, RSA-3072, RSA-4096
ECC P-256 (secp256r1), P-384 (secp384r1)
Symmetric keys
AES-128, AES-192, AES-256
HMAC-SHA-256 / SHA-384 / SHA-512
Signing algorithms
RSA PKCS#1 v1.5, RSA-PSS
ECDSA with SHA-256 / SHA-384
Encryption algorithms
RSA-OAEP (SHA-256)
AES-CBC, AES-GCM
Key agreement
ECDH key derivation (P-256, P-384).
Random number generation
FIPS 140-2 validated hardware RNG inside the HSM.
⚙️

Cryptographic operations

Key lifecycle
Generate, list, read public key, delete
Scheduled rotation with configurable grace period
Stable key_id survives rotation
Sign & verify
Digest-input signing inside the HSM; verification by public key without HSM round-trip.
Encrypt & decrypt
Bytes-level RSA-OAEP and AES-CBC / AES-GCM. Plaintext never persisted outside the calling request.
Envelope encryption
HSM-managed KEKs wrap caller-provided DEKs. Wrapped DEKs stored anywhere; KEK never leaves the HSM.
Key extraction
Private keys cannot be exported as plaintext under any operation. Public material is exportable on demand.
🔌

APIs & integration

REST API
JSON over HTTPS. Bearer-token auth. Idempotent operations with request-id correlation.
MCP server
Nine HSM-backed primitives for AI agents
kms_create_masterkey, kms_sign, kms_verify
kms_encrypt, kms_decrypt, kms_ecdh
List, read public key, delete
PKCS#11 driver
Available for dedicated HSM plans; works with standard PKCS#11 clients.
Web console
kms-console.cloakapps.com — key listing, rotation policy, audit log, credential management.
Authentication
Keycloak-backed identity. Per-agent scoped credentials. Instant revoke and rotate.
📜

Audit, receipts & observability

Operation receipts
Every state-changing operation returns a signed JWS receipt — verifiable offline against the Cloak KMS public key.
Audit log
Tamper-evident, append-only log of every key operation. Filter by key, time range, principal.
Retention
12 months on shared plans; configurable up to 7 years on dedicated plans.
Export
CSV and JSON export from console; programmatic pull via audit API.
🏗️

Deployment tiers

Software keys
Encrypted key store, REST + MCP API, full audit log. 10,000 API calls/month.
HSM shared
Keys generated in shared HSM with logical tenant isolation. Private keys never extracted as plaintext. 100,000 API calls/month.
HSM dedicated
Dedicated hardware partition, physical tenant isolation, custom key policy, SLA + Slack support. 500,000 API calls/month.
On-premise
HSM appliance deployed in customer data centre. Same API surface as cloud. Available on enterprise contract.
🛡️

Compliance & security posture

HSM certification
Underlying HSM modules are FIPS 140-2 Level 3 certified.
Frameworks supported
SOC 2 — control evidence ready
ISO/IEC 27001 — control mapping available
MAS TRM — key custody controls
PDPA / GDPR — data-residency options on dedicated plans
Transport security
TLS 1.3, mTLS optional on dedicated plans.
Tenant isolation
Logical isolation on shared plans; physical HSM partition on dedicated plans.
Backup & recovery
Encrypted key-backup blobs sealed to HSM; restoration only possible inside an authorised HSM cluster.
📈

Limits & service levels

Latency (typical)
Sign / verify < 80 ms p50. Encrypt / decrypt < 60 ms p50 from same region.
Throughput
Burst up to 200 ops/s on shared plans; sustained rates on dedicated plans per contract.
Availability target
99.9% on shared plans. 99.95% with contractual SLA on dedicated plans.
Regions
Singapore (primary). Additional regions available on dedicated plans.
Support
Email on shared; priority email + Slack on dedicated. Named account manager on enterprise.
Learn more about Cloak KMS →