Listing Thumbnail

    Cosmian KMS - Ubuntu 24.04 (AMD SEV-SNP)

     Info
    Sold by: COSMIAN 
    Deployed on AWS
    This Customer Managed Key Management System has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.

    Overview

    This is a repackaged software wherein additional charges apply for extended support.

    Cosmian kms is a modern, cloud-ready key management system for your encryption keys and certificates, running inside a Cosmian vm - a verifiable and confidential virtual machine.

    This ensures that your KMS remains entirely confidential, at rest and in use, and is verifiable (no hardware of software tampering).

    Cosmian kms delivers unparalleled data security for your organization with an on-the-fly encryption/decryption keys solution, empowering sovereignty, security, and efficiency.

    • Protect your data sovereignty with our independent security solution, eliminating reliance on public cloud providers.

    • Strengthen your security posture by taking charge of sensitive data encryption, including workspace, R&D data, HR information, and electronic communications.

    • Streamline your IT system and server management with automated processes, empowering your system administrators to boost productivity and efficiency in infrastructure management.

    What is in Cosmian kms? Modern lifecycle management for keys and certificates : Cosmian kms offer cutting-edge features for managing encryption keys and certificates throughout their lifecycle.

    • Key storage
    • Key generation
    • Key rotation
    • Key distribution
    • Key usage policies

    Advanced Public Key Infrastructure integration : Integrating seamlessly with external entities, the Cosmian kms facilitates Public Key Infrastructure management beyond the confines of your organization. Whether it's leveraging third-party actors or overseeing key governance, we ensure a streamlined and secure process.

    Embedding standard and modern encryption libraries : Embracing both standard and contemporary cryptographic algorithms, the Cosmian kms boasts an unparalleled breadth of coverage.

    • FIPS 140-3 validated encryption libraries
    • Covercrypt: Post-quantum resistance & access policy
    • Findex: search encryption

    Highlights

    • Advanced Key Management for crypto-agility / Enhanced Data Protection / Zero Trust KMS Strategy / Scalability and Flexibility

    Details

    Sold by

    Categories

    Delivery method

    Delivery option
    64-bit (x86) Amazon Machine Image (AMI)

    Latest version

    Operating system
    Ubuntu 24.04

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Cosmian KMS - Ubuntu 24.04 (AMD SEV-SNP)

     Info
    Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    Usage costs (30)

     Info
    Dimension
    Cost/hour
    c6a.xlarge
    Recommended
    $3.04
    r6a.xlarge
    $3.04
    c6a.2xlarge
    $6.08
    r6a.12xlarge
    $36.48
    r6a.metal
    $145.92
    r6a.24xlarge
    $72.96
    c6a.4xlarge
    $12.16
    m6a.metal
    $145.92
    r6a.32xlarge
    $97.28
    m6a.48xlarge
    $145.92

    Vendor refund policy

    We apply the standard refund policy from AWS which states that refund can be done directly through AWS within the first 48 hours. After that no refund will be taken into account.

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    64-bit (x86) Amazon Machine Image (AMI)

    Amazon Machine Image (AMI)

    An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

    Version release notes

    Version 5.24.0 - June 18, 2026

    Security Fixes

    • Updated mysql_async dependency (0.36 to 0.37) to address a known vulnerability in a transitive dependency (RUSTSEC-2026-0173). Severity: Low.

    New Features

    REST Crypto API (JOSE)

    • Import JWK keys directly via POST /v1/crypto/keys for symmetric, EC (P-256/384/521), RSA, and OKP (Ed25519) key types.
    • New POST /v1/crypto/keys/unwrap endpoint for RSA-OAEP Content Encryption Key (CEK) unwrapping without exposing key material to the client.
    • Signature verification is now supported on private keys; RSA-OAEP encryption is available for imported private keys.
    • HMAC keys longer than the minimum required size are now accepted (per RFC 7518).

    Observability - OpenTelemetry Metrics

    • Nine new OTLP metrics exported for operational monitoring: database operations, HTTP requests, active connections, object counts, active key counts, cache operations, and HSM operations.
    • Accurate end-to-end HTTP request latency measurement via dedicated middleware.

    Windows / CNG KSP / Microsoft Intune

    • Windows Service Control Manager (SCM) integration with graceful shutdown support.
    • New Export-IntunePrivateKey and Import-IntunePrivateKey commands for Microsoft Intune PFX key workflows (PKCS#8 DER, PEM/DER/CNG formats).
    • CNG and PKCS#11 DLL verification integrated into the ckms CLI (ckms cng verify, ckms pkcs11 verify), replacing standalone binaries.
    • Default key usages now automatically assigned to PrivateKey and PublicKey objects.

    CLI (ckms)

    • TLS stack replaced with hyper + hyper-openssl, enabling post-quantum TLS connections (ML-DSA-44).
    • activate subcommand added to all key, certificate, secret-data, and opaque-object modules.

    PKCS#11 / VeraCrypt

    • KMS symmetric keys tagged with disk-encryption are now exposed as CKO_DATA token objects, enabling VeraCrypt disk encryption use cases. The tag name is configurable via the COSMIAN_PKCS11_DISK_ENCRYPTION_TAG environment variable.

    EDB PostgreSQL Advanced Server - Transparent Data Encryption (TDE)

    • Native TDE integration added, compatible with pykmip and Thales KMIP clients.

    Server

    • OpenSSL hardware acceleration status (AES-NI, AVX, SHA, VAES, RDRAND) is now logged at startup.
    • Secret management for KMS configuration files: sensitive values can be referenced via secret:// URIs pointing to AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, or another KMS instance.

    Bug Fixes

    VAST Data / KMIP 1.4 Interoperability

    • Fixed vendor attributes (including OperationPolicyName) being silently dropped in KMIP 1.4 GetAttributes responses.
    • Fixed AddAttribute(OperationPolicyName) not being persisted; it is now correctly stored and returned as a VendorAttribute.
    • KMIP 1.x vendor_identification="KMIP1" attributes can now be overwritten via AddAttribute.

    CLI (ckms)

    • IANA TLS 1.2 cipher suite names are now correctly translated to OpenSSL format; unknown ciphers are silently skipped.

    HSM

    • Fixed C_Finalize being forwarded to the real HSM library, which caused CKR_DEVICE_REMOVED errors on subsequent sessions.

    KMIP / XML

    • Fixed TTLV XML deserializer failing to handle type="Structure" on self-closing XML elements.
    • Fixed XML response comparison issues for KMIP 1.4 (result_reason, empty KeyMaterial::ByteString, response_payload presence).

    Version 5.23.0 - June 5, 2026

    New Features

    • Format-Preserving Encryption (FPE) and data anonymization endpoints added.
    • Microsoft Intune PFX workflow support (initial release).
    • New endpoint to import JWE-wrapped keys.
    • cosmian_kms and ckms binaries automatically added to PATH by the installer.
    • JOSE import key endpoint added.
    • OpenSSL hardware acceleration feature flags displayed at startup.

    Bug Fixes

    • Server logging now defaults to /var/log when no log path is configured.

    Version 5.23.0 - May 25, 2026

    Security Fixes

    • COSMIAN-2026-016 - KEK wrapping bypass: attribute-only operations (ModifyAttribute, SetAttribute, AddAttribute, Activate) were incorrectly auto-unwrapping KEK-wrapped keys and persisting plaintext to the database. Fixed.
    • COSMIAN-2026-015 - KEK plaintext leak via UsageLimits: key material was being persisted in plaintext when UsageLimits were configured. Fixed.
    • COSMIAN-2026-017 / COSMIAN-2026-018 - ReKey and Activate operations now enforce ownership and permission checks. Previously, any user with any grant could activate or rotate another user's key.
    • Attribute mutation operations (SetAttribute, ModifyAttribute, AddAttribute, DeleteAttribute) now require the correct per-operation permission instead of the weaker GetAttributes permission.
    • HSM key permissions hardened: Destroy and Revoke operations restricted to HSM administrators; non-admin visibility filtered in Locate and /access/owned.
    • ReKey and ReKeyKeyPair now enforce privileged-user gating consistent with Create, Import, and Register.
    • GPL dependency removed: actix-governor (GPL-3.0) replaced with a MIT/Apache-2.0-licensed alternative.

    New Features

    REST Crypto API (JOSE/JWE)

    • New REST API under /v1/crypto providing JOSE-compatible cryptographic operations (encrypt, decrypt, sign, verify, MAC) without requiring a KMIP client library.
    • Supports AES-GCM (direct), RSA-OAEP/RSA-OAEP-256 key wrapping, RS256/384/512, PS256/384/512, ES256/384/512, and HMAC HS256/384/512.
    • Key lifecycle management: create (symmetric, RSA, EC), and delete with cascade destroy.

    Multi-HSM Support

    • Multiple HSM instances can be connected simultaneously, configured via a TOML array ([[hsm_instances]]) with prefix-based routing.
    • New GET /hsm/status endpoint (authenticated) returns the status of all connected HSM instances.
    • New HSM Status page in the Web UI.

    Post-Quantum Cryptography (PQC) - X.509 Certificates

    • X.509 certificate issuance now supports ML-DSA-44/65/87 and all SLH-DSA variants as subject key and signing algorithms (non-FIPS builds).
    • ML-KEM-512/768/1024 CA-issued certificates supported per RFC 9935.
    • RFC 9608 id-ce-noRevAvail extension automatically added to self-signed certificates with no CRL distribution point.

    Key Pair Rotation (ReKeyKeyPair)

    • ReKeyKeyPair operation implemented per KMIP specification, supporting RSA, EC, Ed25519, X25519, ML-KEM, ML-DSA, and SLH-DSA. KMIP 1.4 wire format supported.

    OpenAPI / Swagger UI

    • New /openapi.yaml endpoint serving the embedded OpenAPI 3.1 specification.
    • New /swagger endpoint with a locally-hosted Swagger UI (no CDN dependency), strict Content Security Policy headers applied.

    Bug Fixes

    VAST Data / KMIP 1.x Interoperability

    • Fixed ReKey, DeriveKey, ReCertify, and Check returning Invalid_Message for KMIP 1.4 clients.
    • Fixed RFC 3394 vs. RFC 5649 key wrapping mismatch; NISTKeyWrap (RFC 3394) is now the correct default.
    • Fixed DerivationParameters deserialization silently ignoring Salt, DerivationData, and IterationCount fields.
    • Fixed ReKey incorrectly modifying key material in-place; a new UID is now created and linked to the original key.

    Google Client-Side Encryption (CSE)

    • Fixed InvalidAudience error rejecting all CSE authorization tokens with jsonwebtoken 10.x.
    • Fixed KACLS migration rewrap/privilegedunwrap flow.
    • Fixed JWKS refresh not retrying after validation failure, which could cause permanent authentication failures.
    • Fixed POST /google_cse/wrapprivatekey endpoint being unreachable.

    Multi-HSM

    • Fixed model-based HSM UIDs being routed to the wrong backend.
    • Fixed Get and Export equivalence not being honored for HSM keys.
    • Fixed HSM keys being excluded from /access/obtained results due to an incorrect SQL JOIN.

    Certificates

    • Fixed incorrect OID for id-ce-noRevAvail extension.
    • Fixed certificatePolicies extension failing when a CPS qualifier was present in certificate extensions.

    Encryption / Web UI

    • Fixed large file encryption causing an out-of-memory panic in the WASM client for payloads above approximately 10 MB.
    • Client-side upload limit corrected to 30 MB to account for TTLV encoding overhead.
    • Fixed HTML error pages being returned by the KMIP endpoint on payload size violations; plain text errors are now returned.
    • Fixed ECDSA verify returning HTTP 500 on a corrupted signature instead of {"valid": false}.
    • Fixed Activate on Destroyed or Compromised objects returning Object_Not_Found; the correct Wrong_Key_Lifecycle_State error is now returned.

    Additional details

    Usage instructions

    WARNING : The region east-us1 must not be used to deploy Cosmian products ! It is only present due to an AWS testing constraint but this region does not allow the deployment of confidential VM for the moment.

    Make sure to enable the configuration related to AMD SEV-SNP option located in the advanced details tab within the marketplace deployment page.

    As the Cosmian KMS is deployed on top of a Cosmian Verifiable VM, cosmian_vm_agent starts for the first time, it initializes several components:

    1. It generates a self-signed certificate and sets the CommonName of the certificate to the value of the machine hostname.
    2. It generates a LUKS container (/var/lib/cosmian_vm/container) and mounts it at /var/lib/cosmian_vm/data. Note that /var/lib/cosmian_vm/tmp is a tmpfs. It is encrypted but it should contain only volatile data since it is erased at each VM reboot. Data in this directory is encrypted due to the fact that the RAM is encrypted.
    3. It generates the TPM endorsement keys.

    It is recommended to configure 1. and 2. on your own for production systems.

    The certificate can be changed at will:

    • Edit your DNS register to point to that VM.
    • Create a trusted certificate using the method of your choice (e.g., Let's Encrypt) or use cosmian_certtool.
    • Edit the cosmian_vm_agent configuration file to point to the location of the TLS certificate and private key.

    The LUKS container can be regenerated using cosmian_fstool with your own size and password (to store by yourself in a secure location). It is recommended to use an additional backup disk to store the container. You can skip all these first startup steps by setting COSMIAN_VM_PREINIT=0 when starting cosmian_vm_agent.

    Once the image is instantiated (on GCP, Azure, or AWS), the <code>cosmian_vm_agent</code> automatically starts as a systemd service when the VM boots.

    You can now install any packages or applications you want on the VM.

    Your VM is now set and ready.

    Finally, please follow the deployment process to configure your KMS properly: https://docs.cosmian.com/deployment/cosmian_vm_kms/ 

    Support

    Vendor support

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.