Skip to content

Feature: Key Management Service (KMS)#12711

Open
vishesh92 wants to merge 19 commits intoapache:mainfrom
shapeblue:feature-kms
Open

Feature: Key Management Service (KMS)#12711
vishesh92 wants to merge 19 commits intoapache:mainfrom
shapeblue:feature-kms

Conversation

@vishesh92
Copy link
Member

@vishesh92 vishesh92 commented Feb 26, 2026
edited
Loading

Key Management Service (KMS) with HSM Integration

Description

Introduces a Key Management Service (KMS) framework for CloudStack that provides envelope encryption for volume encryption. KEKs (Key Encryption Keys) stored in PKCS#11-compliant HSMs or the CloudStack database wrap per-volume DEKs (Data Encryption Keys), ensuring key material is never stored in plaintext.

Design Document: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Key+Management+Service+%28KMS%29+with+HSM+Integration
Docs PR: #12711

New APIs

API Auth Description
createKMSKey All users Create a KMS key (KEK) bound to an HSM profile
listKMSKeys All users List KMS keys
updateKMSKey All users Update name, description, or enabled state
deleteKMSKey All users Delete a KMS key (if not in use)
rotateKMSKey Admin Rotate KEK with optional cross-HSM migration
migrateVolumesToKMS Admin Migrate passphrase-encrypted volumes to KMS
addHSMProfile Admin Add HSM profile configuration
listHSMProfiles All users List available HSM profiles
updateHSMProfile Admin Update HSM profile
deleteHSMProfile Admin Delete HSM profile

New Database Tables

kms_hsm_profiles, kms_hsm_profile_details, kms_keys, kms_kek_versions, kms_wrapped_key, kms_database_kek_objects

Modified: cloud.volumes — added kms_key_id and kms_wrapped_key_id columns.

New Global Settings

Setting Default Description
kms.dek.size.bits 256 DEK size in bits
kms.retry.count 3 Retry attempts for transient failures
kms.retry.delay.ms 1000 Delay between retries
kms.operation.timeout.sec 30 Per-operation timeout
kms.rewrap.batch.size 50 Keys rewrapped per background batch
kms.rewrap.interval.ms 300000 Background rewrap interval

UI Changes

  • New KMS top-level menu with KMS Keys and HSM Profiles sub-sections
  • KMS key selection in Deploy VM and Create Volume wizards
  • HSM profile management restricted to Admin users in UI

How to Test

Tested with:

# 1. Add an HSM profile (use SoftHSM2 for testing)

# 2. Create a KMS key with HSM profile

# 3. Create a disk offering with Encryption enabled

# 4. Deploy a VM/create a volume and specify the KMS key

@codecov
Copy link

codecov bot commented Feb 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.51%. Comparing base (b744824) to head (b68661c).

❗ There is a different number of reports uploaded between BASE (b744824) and HEAD (b68661c). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (b744824) HEAD (b68661c)
unittests 1 0
Additional details and impacted files 
@@              Coverage Diff              @@
##               main   #12711       +/-   ##
=============================================
- Coverage     18.02%    3.51%   -14.51%     
=============================================
  Files          5968      465     -5503     
  Lines        537086    40194   -496892     
  Branches      65961     7572    -58389     
=============================================
- Hits          96819     1414    -95405     
+ Misses       429347    38590   -390757     
+ Partials      10920      190    -10730
Flag Coverage Δ
uitests 3.51% <ø> (-0.02%) ⬇️
unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@vishesh92 vishesh92 requested a review from Copilot February 26, 2026 07:39
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request introduces a comprehensive Key Management Service (KMS) framework for CloudStack that provides envelope encryption for volume encryption. KEKs (Key Encryption Keys) stored in PKCS#11-compliant HSMs or the CloudStack database wrap per-volume DEKs (Data Encryption Keys), ensuring key material is never stored in plaintext.

Changes:

  • Adds KMS framework with HSM integration for envelope encryption
  • Introduces 8 new admin/user APIs for KMS key and HSM profile management
  • Creates 6 new database tables for storing KMS metadata
  • Adds UI support for KMS key selection in volume and VM deployment workflows

Reviewed changes

Copilot reviewed 123 out of 123 changed files in this pull request and generated no comments.

Show a summary per file
File Description
framework/kms/ Core KMS framework interfaces and exceptions
plugins/kms/ Database and PKCS#11 KMS provider implementations
engine/schema/ Database entities and DAOs for KMS tables
api/src/main/java/org/apache/cloudstack/api/command/ New API commands for KMS operations
ui/src/views/ UI components for KMS key selection
server/src/main/java/ KMS manager implementation and integration
Test files Unit tests for KMS retry logic and key creation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vishesh92 vishesh92 changed the title Feature kms Feature: Key Management Service (KMS) Feb 26, 2026
@apache apache deleted a comment from blueorangutan Feb 26, 2026
@blueorangutan
Copy link

blueorangutan commented Feb 26, 2026

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16962

@weizhouapache weizhouapache added this to the 4.23.0 milestone Feb 26, 2026
@vishesh92 vishesh92 force-pushed the feature-kms branch 3 times, most recently from 8ea09bb to df2df4b Compare March 2, 2026 10:36
@vishesh92 vishesh92 requested a review from Copilot March 2, 2026 11:40
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 124 out of 124 changed files in this pull request and generated 8 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vishesh92 vishesh92 force-pushed the feature-kms branch 2 times, most recently from 75519c2 to 1fce0b2 Compare March 4, 2026 06:38
@vishesh92
Copy link
Member Author

vishesh92 commented Mar 4, 2026

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Mar 4, 2026

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link

blueorangutan commented Mar 4, 2026

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16998

@vishesh92
Copy link
Member Author

vishesh92 commented Mar 5, 2026

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Mar 5, 2026

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link

blueorangutan commented Mar 5, 2026

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17008

@apache apache deleted a comment from blueorangutan Mar 5, 2026
@apache apache deleted a comment from blueorangutan Mar 5, 2026
@vishesh92 vishesh92 requested a review from sureshanaparti March 5, 2026 12:23
@vishesh92
Copy link
Member Author

vishesh92 commented Mar 10, 2026

@blueorangutan test keepEnv

@blueorangutan
Copy link

blueorangutan commented Mar 10, 2026

@vishesh92 a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

@blueorangutan
Copy link

blueorangutan commented Mar 10, 2026

[SF] Trillian test result (tid-15588)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 56416 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12711-t15588-kvm-ol8.zip
Smoke tests completed. 146 look OK, 5 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_08_arping_in_ssvm Failure 5.64 test_diagnostics.py
test_09_delete_kms_key Error 11.03 test_kms_lifecycle.py
test_13_delete_hsm_profile Error 7.53 test_kms_lifecycle.py
ContextSuite context=TestListIdsParams>:teardown Error 1.13 test_list_ids_parameter.py
test_01_snapshot_root_disk Error 6.22 test_snapshots.py
test_02_list_snapshots_with_removed_data_store Error 52.65 test_snapshots.py
test_02_list_snapshots_with_removed_data_store Error 52.65 test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown Error 37.71 test_snapshots.py
test_01_snapshot_usage Error 46.42 test_usage.py
test_01_vpn_usage Error 1.36 test_usage.py

@github-actions
Copy link

github-actions bot commented Mar 13, 2026

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

@vishesh92 vishesh92 mentioned this pull request Mar 18, 2026
Open
sureshanaparti
sureshanaparti reviewed Mar 23, 2026
View reviewed changes
api/src/main/java/com/cloud/event/EventTypes.java
entityEventDetails.put(EVENT_HSM_PROFILE_CREATE, HSMProfile.class);
entityEventDetails.put(EVENT_HSM_PROFILE_UPDATE, HSMProfile.class);
entityEventDetails.put(EVENT_HSM_PROFILE_DELETE, HSMProfile.class);

Copy link
Contributor

@sureshanaparti sureshanaparti Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VOLUME.MIGRATE.TO.KMS event?

sureshanaparti
sureshanaparti reviewed Mar 23, 2026
View reviewed changes
api/src/main/java/org/apache/cloudstack/api/command/admin/kms/MigrateVolumesToKMSCmd.java
import java.util.List;

@APICommand(name = "migrateVolumesToKMS",
description = "Migrates passphrase-based volumes to KMS (admin only)",
Copy link
Contributor

@sureshanaparti sureshanaparti Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Migrates passphrase-based volumes to KMS (admin only)",
description = "Migrates encrypted volumes to KMS",

not need of admin only, it's authorized, listed as admin's API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sureshanaparti sureshanaparti sureshanaparti left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

component:api component:build status:has-conflicts status:needs-review status:needs-testing

Projects

None yet

Milestone

4.23.0

Development

Successfully merging this pull request may close these issues.

6 participants

@vishesh92 @blueorangutan @sureshanaparti @winterhazel @weizhouapache