Security

KMS

A managed service that holds master keys and performs cryptographic operations, never exposing the keys.

also known as: key management service, key management system

In depth

KMS providers (AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault) keep the master encryption key inside hardware that cannot export it. Applications send ciphertext for unwrap or wrap operations, the KMS does the work and returns the result. On Digitorn the KMS layer is pluggable: env-based for dev, AWS KMS for AWS deployments, the rest for everything else.

Related concepts

Envelope encryptionAn encryption scheme where each row has its own data key, and that data key is wrapped by a master key.Credential vaultAn encrypted store for API keys, tokens, and connection strings, referenced from YAML by name.

Newsletter

Get the next post in your inbox.

Engineering notes from the Digitorn team. No marketing, no launch announcements, no "10 prompts that will change your life". Just the things we write that we'd want to read.

More in Security

Credential vault/glossary/credential-vault Envelope encryption/glossary/envelope-encryption OAuth flow/glossary/oauth-flow Per-user scope/glossary/per-user-scope