Eclipse KeySealer

Eclipse KeySealer provides software for integrating Kubernetes KMS APIs with external cryptographic key stores and key-management systems.

Eclipse KeySealer enables Kubernetes clusters to protect data at rest through secure integration with PKCS #11-compatible HSMs, TPM-backed providers, software tokens, and external key-management systems.

The project includes:

• Implementations of Kubernetes KMS provider plugins, starting with KMS v2.
• Integration with PKCS #11-capable devices and providers, including HSMs, TPM-backed PKCS #11 providers, and software tokens.
• Support for current and future Kubernetes KMS API versions.
• Support for relevant PKCS #11 versions, including PKCS #11 v2.40, v3.2, and future compatible versions.
• Configuration examples, deployment manifests, packaging, tests, and documentation for running KMS plugins in Kubernetes environments.
• Key rotation workflows, interoperability testing, and operational guidance for secure Kubernetes encryption-at-rest deployments.

The project does not define new Kubernetes APIs, new cryptographic algorithms, new PKCS #11 specifications, or new key-management standards. It implements and integrates existing standards and APIs. It also does not replace Kubernetes encryption providers, HSM firmware, TPM firmware, or vendor-specific key managers.