Eclipse KeySealer provides an open source KMS plugin for Kubernetes encryption at rest.
The initial implementation is based on k8s-kms-plugin, a gRPC service that implements the Kubernetes KMS v2 API and connects Kubernetes to a local or remote PKCS #11-capable key store. The plugin enables Kubernetes clusters to protect API data, such as Secrets, by using a key encryption key stored in an HSM, TPM-backed provider, software token, or external key manager exposed through PKCS #11.
Eclipse KeySealer is intended to provide a vendor-neutral home for Kubernetes KMS integrations with hardware-backed and externally managed keys. It helps Kubernetes operators use protected keys without depending on a single cloud provider, hardware vendor, or proprietary key-management integration.
The project is designed for production-oriented Kubernetes deployments where data-at-rest encryption, key isolation, key rotation, auditability, and interoperability with existing cryptographic infrastructure are important requirements.
The content of this open source project is received and distributed under the license(s) listed above. Some source code and binaries may be distributed under different terms. Specific license information is provided in file headers and in NOTICE files distributed with the project's binaries.
Member companies supporting this project over the last three months.