Eclipse KeySealer

Wednesday, May 6, 2026 - 05:17 by nicolas mpprojects
Basics
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Parent Project
Eclipse Technology
Proposal State
Community Review
Background

Kubernetes supports encryption at rest for API data by using encryption providers. For external key management, Kubernetes defines a Key Management Service, or KMS, provider interface. The Kubernetes KMS provider uses envelope encryption: Kubernetes encrypts data with data encryption keys, and those data encryption keys are protected by a key encryption key managed through an external KMS plugin.

Kubernetes KMS v2 is the current recommended KMS API. The Kubernetes documentation states that KMS v2 is stable as of Kubernetes v1.29, while KMS v1 has been deprecated since Kubernetes v1.28 and disabled by default since Kubernetes v1.29.

The Kubernetes API server communicates with a KMS plugin over gRPC through a Unix domain socket. The plugin is deployed on the Kubernetes control plane hosts and is responsible for communicating with the external key management system. Kubernetes also provides guidance, Go libraries, and protocol definitions for implementing a KMS v2 plugin.

PKCS #11, also known as Cryptoki, is an OASIS specification that defines an API for cryptographic tokens and devices that hold cryptographic information and perform cryptographic operations. OASIS PKCS #11 Version 3.2 defines the data types, functions, and other basic components of the Cryptoki interface.

Eclipse KeySealer addresses the gap between Kubernetes KMS and PKCS #11-capable key stores. It provides a Kubernetes KMS v2 plugin that can use a local or remote PKCS #11-capable HSM, TPM-backed provider, software token, or key manager to protect Kubernetes data at rest.

Scope

Eclipse KeySealer provides software for integrating Kubernetes KMS APIs with external cryptographic key stores and key-management systems.

Eclipse KeySealer enables Kubernetes clusters to protect data at rest through secure integration with PKCS #11-compatible HSMs, TPM-backed providers, software tokens, and external key-management systems.

The project includes:

  • Implementations of Kubernetes KMS provider plugins, starting with KMS v2.
  • Integration with PKCS #11-capable devices and providers, including HSMs, TPM-backed PKCS #11 providers, and software tokens.
  • Support for current and future Kubernetes KMS API versions.
  • Support for relevant PKCS #11 versions, including PKCS #11 v2.40, v3.2, and future compatible versions.
  • Configuration examples, deployment manifests, packaging, tests, and documentation for running KMS plugins in Kubernetes environments.
  • Key rotation workflows, interoperability testing, and operational guidance for secure Kubernetes encryption-at-rest deployments.

The project does not define new Kubernetes APIs, new cryptographic algorithms, new PKCS #11 specifications, or new key-management standards. It implements and integrates existing standards and APIs. It also does not replace Kubernetes encryption providers, HSM firmware, TPM firmware, or vendor-specific key managers.

Description

Eclipse KeySealer provides an open source KMS plugin for Kubernetes encryption at rest.

The initial implementation is based on k8s-kms-plugin, a gRPC service that implements the Kubernetes KMS v2 API and connects Kubernetes to a local or remote PKCS #11-capable key store. The plugin enables Kubernetes clusters to protect API data, such as Secrets, by using a key encryption key stored in an HSM, TPM-backed provider, software token, or external key manager exposed through PKCS #11.

Eclipse KeySealer is intended to provide a vendor-neutral home for Kubernetes KMS integrations with hardware-backed and externally managed keys. It helps Kubernetes operators use protected keys without depending on a single cloud provider, hardware vendor, or proprietary key-management integration.

The project is designed for production-oriented Kubernetes deployments where data-at-rest encryption, key isolation, key rotation, auditability, and interoperability with existing cryptographic infrastructure are important requirements.

Licenses
Apache Software License 2.0
The MIT License (MIT)
Future Work

Future work may include:

  • Keeping the plugin aligned with new Kubernetes KMS API versions.
  • Improving KMS v2 conformance, interoperability, and regression testing.
  • Expanding tested PKCS #11 provider coverage across HSMs, TPM-backed PKCS #11 providers, and software tokens.
  • Improving key rotation workflows, including operational documentation and automated tests.
  • Providing deployment assets for common Kubernetes distributions and operating environments.
  • Adding signed packages, container images, SBOMs, and supply-chain security metadata.
  • Improving observability, including metrics, health checks, audit-friendly logs, and troubleshooting guidance.
  • Supporting additional backend key-management protocols if they fit the project scope.
  • Documenting secure deployment patterns for single-node, high-availability, air-gapped, and remote-HSM environments.
People
Project Leads
nicolas mpprojects
Sebastien Lejeune
Committers
Sebastien Lejeune (26698)
nicolas mpprojects (26691)
Interested Parties

Thalesgroup is the creator of k8s-kms-plugin, and the main maintainer.

A couple of large companies, including web giants social networks, are using hardware security modules and kubernetes.

Source Code
Initial Contribution

Project k8s-kms-plugin exists under github.com/ThalesGroup organisation and already have a couple of releases.

Source Repository Type
GitHub
Source Repositories
https://github.com/ThalesGroup/k8s-kms-plugin