Hierarchical Key Trees
Deterministic derivation with namespace-scoped rules and cascade operations.
Open source · AGPL-3.0-or-later · Sovereign Key Management Service
Key lifecycle coordination over your existing HSM/KMS — hierarchy, rotation, policy, and audit, without vendor lock-in.
KeyRack is an open-source key management coordination layer. It tracks key hierarchies, drives rotation, and delegates all cryptographic material to HSM backends. KeyRack never touches raw key material.
Already running AWS KMS? Start without a rewrite
Put the open-source keyrack-aws-proxy in front of AWS KMS. Your
existing AWS SDK clients keep working unchanged — KeyRack records key metadata,
builds the dependency graph, and gives you a verifiable audit trail. Crypto still
runs on AWS; you gain visibility with zero code changes.
# Point any AWS SDK at the FOSS proxy — no code changes
AWS_ENDPOINT_URL=http://keyrack-aws-proxy:8080 keyrack-aws-proxy is AGPL and ships in the core repo. When you're
ready to move custody off AWS entirely, the commercial AWS KMS shim routes the same
SDK calls to KeyRack-managed keys. See commercial options →
What KeyRack is
- A coordination layer that delegates crypto to a backend
- Key hierarchy, rotation, Cedar policy, and structured audit
- Software you deploy — not a hosted cloud KMS
- gRPC, REST, and commercial API shims (AWS KMS, Barbican)
What KeyRack is not
- Not a from-scratch crypto implementation
- Not a replacement for your HSM — it orchestrates over PKCS#11, Vault, KMIP
- Not a turnkey multi-node HA cluster in the OSS core (commercial)
- Not GCP/Azure KMS shims today (roadmap)
Architecture
How it fits together
KeyRack coordinates between clients, HSM backends, policy engines, and storage — never touching raw key material.
Clients KeyRack Service HSM Backends AWS SDK ─────┐ OpenStack ─────┤ gRPC ─────┼────▶ ┌──────────────────┐ ────▶ PKCS#11 REST ─────┤ │ │ ────▶ KMIP WASM ─────┘ │ keyrack-service │ │ │ └────────┬─────────┘ │ ┌──────────────┼──────────────┐ ▼ ▼ ▼ External PDP Storage Audit Cedar / OPA PostgreSQL NATS / File SQLite Stdout
gRPC, REST, and WASM are open-source client surfaces. AWS SDK and OpenStack
clients connect through the FOSS keyrack-aws-proxy (AWS pass-through)
or the commercial AWS KMS / Barbican shims.
Key Features
Built for real-world KMS
Everything you need to run a production key management service.
External Policy Engine
Delegate authorization to Cedar, OPA, or any policy decision point.
HSM-backed Crypto
All cryptographic operations happen inside your HSMs. No key material in memory.
Audit Everything
Structured audit events via NATS, files, or stdout. Full operation traceability.
Multi-Provider Routing
Route keys across software, PKCS#11, Vault Transit, and KMIP backends with tag-driven rules and per-version binding.
Hold Your Own Key
Tenants keep their own HSM. Disconnect it and derived keys go dark within a configurable cache TTL.
Differentiators
Hierarchy + cascade rotation
Deterministic key derivation trees with namespace-scoped rules. Disabling any key in the chain cascades downward.
Cooperative re-wrap protocol
Cross-provider re-encryption and rotation without big-bang data migration.
Multi-provider routing
Route keys across BYOK and HYOK backends with tag-driven rules and per-version provider binding.
Cedar policy + structured audit
External PDP on every operation. Ed25519-signed audit events with BLAKE3 hash chain.
Crypto agility / PQC-ready
Algorithm abstraction and rotation framework. PQC algorithms are not shipped yet — see roadmap.
Bounded HYOK lockout
Disconnect a tenant HSM and derived keys become unusable within a configurable cache TTL.
Backends available today
Software In-process RustCrypto for dev and testing
SoftHSM / PKCS#11 Thales, Entrust, YubiHSM, CloudHSM, SoftHSM
HashiCorp Vault Transit Vault-backed crypto operations
KMIP client Remote HSMs speaking OASIS KMIP (HYOK)
Commercial & roadmap
KMIP server Commercial — tenant-facing KMIP endpoint
AWS KMS / Barbican shims Commercial — drop-in API compatibility
GCP / Azure shims Roadmap — not implemented
PQC algorithms Framework ready; algorithms pending
Open source core
keyrack-oss (AGPL-3.0-or-later): key lifecycle, gRPC + REST APIs, pluggable providers, Cedar authorization, NATS eventing. Proto definitions and client SDK are Apache-2.0.
- Software, PKCS#11, Vault Transit, KMIP client providers
- SQLite and PostgreSQL storage
- Runnable FOSS demos (Docker Compose + Kubernetes)
Commercial extensions
keyrack-commercial (proprietary) adds enterprise features and AGPL-free embedding on top of the same core — without gating any core KMS functionality. See what's included →
Quickstart
Up and running in minutes
Clone the repo, start the stack, create a key, encrypt and decrypt data.
# Clone and start the stack git clone https://github.com/KeyRack-io/keyrack.git cd keyrack docker compose up -d keyrack-service # Create a key and capture its ID KEY_ID=$(curl -s http://localhost:8080/v1/keys -X POST \ -H 'Content-Type: application/json' \ -d '{"key_spec": "AES_256", "description": "my first key"}' | jq -r '.lid') # Encrypt data (plaintext is base64-encoded) curl -s http://localhost:8080/v1/keys/$KEY_ID/actions-encrypt -X POST \ -H 'Content-Type: application/json' \ -d '{"plaintext": "aGVsbG8ga2V5cmFjaw=="}' | jq . # Decrypt data curl -s http://localhost:8080/v1/keys/$KEY_ID/actions-decrypt -X POST \ -H 'Content-Type: application/json' \ -d '{"ciphertext_blob": "...from above..."}' | jq .
Or run the full end-to-end demo: ./examples/quickstart.sh
Proof
Demos
Four FOSS Docker Compose demos plus a Kubernetes sidecar demo. AWS shim demos ship with commercial extensions.
View demos →Benchmarks
NFR numbers from a pinned reference platform — methodology published for reproducibility. Results pending harness completion.
Benchmarks →Verifiable audit
Every operation emits an Ed25519-signed, BLAKE3 hash-chained audit event —
tampering or deletion is detectable with keyrack audit verify.
Resources
Everything you need
Get started, contribute, read the docs, or report a security issue.