Scope
<p><strong>Eclipse KeySealer</strong> provides software for integrating Kubernetes KMS APIs with external cryptographic key stores and key-management systems.</p><p>Eclipse KeySealer enables Kubernetes clusters to protect data at rest through secure integration with PKCS #11-compatible HSMs, TPM-backed providers, software tokens, and external key-management systems.</p><p>The project includes:</p><ul><li data-list-item-id="ea68926368a72273363b4246300a8a97f">Implementations of Kubernetes KMS provider plugins, starting with KMS v2.</li><li data-list-item-id="eaff5cda8e08955c53ad3a79dc803b24f">Integration with PKCS #11-capable devices and providers, including HSMs, TPM-backed PKCS #11 providers, and software tokens.</li><li data-list-item-id="e38c3eca274eb9c49642004c96f890666">Support for current and future Kubernetes KMS API versions.</li><li data-list-item-id="e93dc6aa1035c9d91a4a23b04420d6990">Support for relevant PKCS #11 versions, including PKCS #11 v2.40, v3.2, and future compatible versions.</li><li data-list-item-id="e500c9bbaa4503083b5ac38f9af146ca4">Configuration examples, deployment manifests, packaging, tests, and documentation for running KMS plugins in Kubernetes environments.</li><li data-list-item-id="ea2d1c411c046dfeb1875c86a63af5a8e">Key rotation workflows, interoperability testing, and operational guidance for secure Kubernetes encryption-at-rest deployments.</li></ul><p>The project does not define new Kubernetes APIs, new cryptographic algorithms, new PKCS #11 specifications, or new key-management standards. It implements and integrates existing standards and APIs. It also does not replace Kubernetes encryption providers, HSM firmware, TPM firmware, or vendor-specific key managers.</p>
