Cyphera Open KMIP Server
KMIP 1.4 key management server with full key lifecycle, server-side cryptography, mTLS, audit logging, and a management dashboard. Client libraries for nine languages.
What it does
Cyphera Open KMIP Server is a self-contained KMIP endpoint. It speaks the KMIP 1.4 binary protocol (TTLV) over mTLS, exposes a REST API for programmatic access, and includes an embedded management dashboard.
It handles key creation, activation, revocation, destruction, archival, recovery, rekeying, and derivation. It performs server-side encryption, decryption, signing, signature verification, and MAC operations. All operations are logged to an audit trail.
Server
- 27 KMIP 1.4 operations over TTLV binary protocol
- mTLS authentication with TLS 1.2+ enforcement
- REST API with Bearer token or session authentication
- AES-GCM, ChaCha20-Poly1305, RSA, ECDSA, HMAC-SHA256
- KMIP state machine enforced on all operations
- SQLite storage with WAL mode and secure_delete
- In-memory storage for development and testing
- Async audit logging with structured events
- Embedded management dashboard
- Prometheus metrics endpoint
- Single binary, Docker ready (Chainguard base)
Quick start
# Dev mode (localhost, no auth, for local testing) docker run -d -p 127.0.0.1:5696:5696 -p 127.0.0.1:8080:8080 \ ghcr.io/cyphera-labs/open-kmip-server \ --dev --addr :5696 --http-addr :8080 # Production (mTLS + API key) docker run -d -p 5696:5696 -p 8080:8080 \ -v kmip-data:/data -v ./certs:/certs:ro \ ghcr.io/cyphera-labs/open-kmip-server \ --cert /certs/server.pem --key /certs/server-key.pem \ --ca /certs/ca.pem --api-key "$KMIP_API_KEY" \ --db /data/kmip.db
KMIP operations
All 27 KMIP 1.4 operations are implemented:
Create CreateKeyPair Register ReKey DeriveKey Locate Check Get GetAttributes GetAttributeList AddAttribute ModifyAttribute DeleteAttribute ObtainLease Activate Revoke Destroy Archive Recover Query Poll DiscoverVersions Encrypt Decrypt Sign SignatureVerify MAC
Client libraries
Nine client libraries with identical operation coverage. Each implements all 27 KMIP operations with TLS verification, response size limits, TTLV bounds checking, and reconnection on I/O error.
- Go — kmip-go
- Java — kmip-java
- Python — kmip-python
- Node.js — kmip-node
- Rust — kmip-rust
- .NET — kmip-dotnet
- PHP — kmip-php
- Ruby — kmip-ruby
- Swift — kmip-swift
What is KMIP?
Key Management Interoperability Protocol (KMIP) is an OASIS standard for managing cryptographic keys across systems. It defines how clients request key operations (create, get, encrypt, decrypt, sign, etc.) from a key management server over a binary protocol called TTLV.
KMIP is used in enterprise environments to centralize key lifecycle management. Hardware security modules (HSMs), cloud KMS platforms, and enterprise key managers all speak KMIP or provide KMIP-compatible interfaces.
Cyphera Open KMIP Server implements KMIP 1.4, which covers symmetric and asymmetric key operations, server-side cryptography, key derivation, batch processing, and attribute management.
REST API
Every KMIP operation is also available through a JSON REST API for programmatic access without a KMIP client.
# Create an AES-256 key
curl -X POST http://localhost:8080/v1/keys \
-H "Authorization: Bearer $API_KEY" \
-d '{"algorithm":"AES","length":256,"name":"my-key"}'
# Encrypt data server-side
curl -X POST http://localhost:8080/v1/keys/{id}/encrypt \
-H "Authorization: Bearer $API_KEY" \
-d '{"plaintext":"SGVsbG8gV29ybGQ="}'
Status
Cyphera Open KMIP Server is alpha software (v0.1.0-alpha.1). It is suitable for development, integration testing, and evaluation. It has not been externally audited. See the security policy for known limitations.
Standards & references
Cyphera Open KMIP Server implements the OASIS KMIP standard. Primary references:
- OASIS KMIP 1.4 — Key Management Interoperability Protocol specification
- NIST SP 800-57 Part 1 Rev. 5 — Recommendation for Key Management
- KMIP — concept overview (Wikipedia)