OpenBao KMSaaS Platform
Centralized, compliant, and sovereign cryptographic key management with HSM-grade security.
HSM Auto-Unseal
SoftHSM PKCS#11 + RSA-4096
TDE Database
PostgreSQL pg_tde extension
Dynamic Secrets
JIT database credentials
🎯 KMS Superpowers
Staff Management
Encrypted CRUD against HSM-protected keys
Data Masking
Visual PII protection for logs, reports, and UI display
KV Secret Engine
OpenBao KV v2 secrets with version history at secret/
Transit Encryption
AES-256-GCM encryption with format-preserving option
Post-Quantum Crypto
ML-KEM-768 + ML-DSA-65 with keys protected by OpenBao KV
HSM Integration
SoftHSMv2 PKCS#11 auto-unseal with RSA-4096 key protection
PKI Certificates
On-demand X.509 certificate issuance for TLS/mTLS
Audit Logging
Complete operation history for compliance and security
TOTP MFA
RFC 6238 compliant time-based one-time passwords
Dynamic Secrets
JIT PostgreSQL credentials with per-lease TTL via OpenBao database engine
Key Rotation
Live Transit key rotation: old versions decrypt, new encryptions use latest
TDE & Encryption Proof
pg_tde at-rest encryption with raw-page forensic proof
🚀 Quick Start
Initialize System
./init-kms.shRun HSM Demo
./demo-hsm-showcase.sh