Overview
Exoscale Key Management Service (KMS) is a centralized, fully managed security service that enables you to create, control, and manage the lifecycle of cryptographic keys. It provides data encryption capabilities across your Exoscale workloads, custom applications, and external integrations.
Fundamentally, data encryption shifts the security challenge from protecting the data to protecting the keys. Exoscale KMS addresses this by defining a secure key hierarchy that cryptographically wraps your generated Data Encryption keys. It safeguards your assets while offering granular operations for access and control. The keys you create never leave the KMS environment unencrypted. All management and usage operations are executed securely through the Exoscale KMS API.
Terminology
Key types
- KMS Key
- A customer-controlled cryptographic key managed within Exoscale KMS. It serves as a master key used to securely wrap and protect Data Encryption Keys (DEKs), rather than encrypting data directly.
- Data Encryption Key (DEK)
- A key used to encrypt and decrypt actual customer data at rest. DEKs are generated on-demand and are never stored in plaintext by the KMS.
- Default Organization Key
- A platform-managed KMS key automatically provisioned for every Exoscale organization upon onboarding. It guarantees that baseline encryption workflows are available out-of-the-box without additional setup. This key is fully managed by Exoscale, it may not be deleted or disabled, it is replicated in all Exoscale zones at all times and you may not modify or disable its rotation schedule.
Encryption Concepts
- Envelope Encryption
- A security practice where data is encrypted with a Data Encryption Key (DEK), and the DEK itself is then encrypted (wrapped) by a higher-level KMS key. This localizes the impact of a potential compromise and simplifies key rotation.
- Key Material
- The raw cryptographic bytes that constitute a key, used to perform encryption, decryption or wrapping operations.
- Key Rotation
- The process of generating fresh versioned cryptographic key material of a KMS key. After rotation, legacy versions remain authorized exclusively for decrypting existing data, while the latest version is automatically used for all new encryption operations.
- Additional Authenticated Data (AAD)/Encryption Context
- Non-confidential, customer-provided data bound cryptographically to the ciphertext. It is used in ciphertext integrity checks.
Key Deployment
- Multi-Zone Key
- A KMS key that may be replicated across multiple Exoscale zones.
- Primary Key
- A Multi-Zone Key in the creation zone. The primary key dictates shared key lifecycle properties across all zone replicas.
- Replica Key
- A copy of a primary key in another Exoscale zone. It operates as a fully functional key for zone-local cryptographic operations, while its baseline lifecycle states (e.g., rotation, deletion) remain synchronized with the primary key.
Features & Use Cases
Protection of Data at rest
Note
Encryption at rest is already fully available and supported across Exoscale. Native integration with Exoscale KMS to back these capabilities will be introduced shortly after the initial product launch.
Exoscale KMS integrates seamlessly with the broader Exoscale ecosystem to secure your infrastructure assets automatically. By utilizing either custom KMS keys or the Default Organization Key, server-side encryption is enforced across your cloud resources to ensure that data at-rest is always encrypted.
Exoscale Object Storage (SOS): Secure your buckets and objects. In KMS mode, each object is encrypted using a unique Data Encryption Key (DEK) wrapped by your specified KMS key.
Compute: Root Volumes are encrypted at-rest. The Compute orchestrator will leverage your default KMS key, unless specified otherwise (i.e., a KMS key of your choice).
Encrypt and decrypt data
For custom software and automated workflows, Exoscale KMS provides direct access via the Exoscale API, client SDKs, and CLI to secure application-level data. This enables developers and operators to implement robust data protection patterns directly within their applications and deployment pipelines.
Direct Payload Cryptography: Safely encrypt and decrypt small, sensitive data payloads—such as application configuration secrets, connection strings, certificates, or API tokens—directly through the CLI, SDKs, or API endpoints.
High-Performance Envelope Encryption: For large files or databases, use Exoscale KMS to generate on-demand Data Encryption Keys (DEKs). Your application receives a plaintext DEK for immediate, high-speed local encryption and a wrapped (encrypted) DEK. You can store the wrapped DEK safely alongside your data, ensuring the master key material never leaves the KMS.