• About us
  • Newsroom
  • Careers
  • Become a partner
  • Search
Compute
High-performance, scalable computing resources for your critical workloads. Orchestrate your cloud-native applications with our modern container solutions.
Discover the Calcul offer
Dedicated servers
VM Instances
An on-demand, flexible and secure virtual machine solution on a shared infrastructure.
OpenSource IaaS
Open source virtualised infrastructure in a trusted SecNumCloud-qualified cloud environment for complete technological sovereignty.
VMWare IaaS
Your VMware virtual machines in a trusted SecNumCloud-qualified and HDS-certified cloud environment.
Containers
Openshift PaaS
The unified platform for creating, modernising and deploying your large-scale applications in a sovereign cloud.
Managed Kubernetes
Managed container orchestration solution offering security, resilience and advanced automation on sovereign infrastructure.
Bare Metal
Bare Metal
Dedicated, fully customisable servers for total autonomy over your sovereign infrastructure.
Storage
Adaptable, high-performance storage solutions for all your needs. Optimise your data with our highly available block and object solutions.
Discover our Storage offer
Storage
Block storage
The adaptable block storage solution for optimum storage performance in a sovereign cloud.
Object storage
The scalable, cost-effective storage solution for your unstructured data in a sovereign cloud.
Backup
Backup solutions
Differentiated backup solutions tailored to your challenges and environments
Network
Advanced network solutions to connect and secure your infrastructures. Deploy your private networks automatically and securely.
Discover the Network offer
Network
Virtual Private Cloud
Deploy and manage your private networks 100% automatically and securely.
Private Backbone
Take full control of your network with extended Layer 2 connectivity, designed for hybrid architectures and bespoke configurations.
Firewall
Managed Firewall
Advanced security solutions for complete insulation and enhanced protection
Accommodation Dry
Housing - Dedicated space
Secure hosting for your equipment in a dedicated or shared environment, depending on your needs.
Security
Advanced security solutions to protect your critical infrastructures. Control access and defend against online threats.
Discover the Security offer
Security
Anti DDoS
The shield against online attacks
Bastion host
Transparent, centralised access control for robust protection of your infrastructure
Managed KMS
Sovereign cryptographic key management, with HSM hardware root of trust, to protect your most sensitive data on SecNumCloud infrastructure.
Managed SIEM
A centralised platform for collecting and correlating security logs, combining AI-based automation and advanced detection rules (MITRE ATT&CK).
IA
Artificial intelligence solutions to transform your data into insights and accelerate your business processes.
Discover the IA offer
IA
LLMaaS
Access cutting-edge language models on a sovereign, SecNumCloud-qualified and HDS-certified infrastructure for high-performance, secure AI applications.
GPU
NVIDIA GPU instances to accelerate your artificial intelligence and high-performance computing in a sovereign cloud.
Data
Data solutions to manage, analyse and exploit your critical data.
Discover the Data offer
Databases
Managed MariaDB
A fully managed MariaDB relational database and PITR backup on SecNumCloud sovereign infrastructure.
Managed PostGreSQL
The fully managed relational database solution on SecNumCloud sovereign infrastructure
Big Data
Managed Kafka
The open-source distributed platform for streaming data in real time
Managed File System
A managed, sovereign, high-availability distributed file system, accessible via NFS and SMB on the SecNumCloud infrastructure.
Management & Governance
Coaching and support services to help you with your cloud transformation.
Find out about our support services
Support
Support levels
Discover the 3 levels of support available to help you meet your challenges.
Professional services
From design to optimisation, Cloud Temple is with you every step of the way.
Governance
Console - API - Terraform Provider
A single interface for viewing and managing your products and services
Observability
Infrastructure metrics available in market standards
About us
The company
Who are we?
Management team
Locations
CSR commitments
Sectors
Public sector
Health
Financial sector
Industry
Our approach
Our compliance procedures
Our SecNumCloud approach
Trusted AI
Interoperability & hybridity
Transparency in the processing of health data
Newsroom
The magazine
Events & Webinars
Press releases
In the media
Documentary database
Careers
Working at Cloud Temple
Join us
Become a partner
Software publishers
Managed Services Providers
FR AT FROM IT
Contact
Products > Managed KMS
Security

Managed KMS

Sovereign cryptographic key management, with HSM hardware root of trust, to protect your most sensitive data on SecNumCloud infrastructure.

The fundamentals of the Managed KMS offering

The service Managed KMS (Key Management Service) is a fully managed cryptographic key lifecycle management platform deployed on Cloud Temple's sovereign SecNumCloud infrastructure. Based on Cosmian KMS - French open-source reference solution - and anchored in a Thales Luna HSM hardware root of trust (FIPS 140-3 Level 3), this service offers the highest level of protection for your cryptographic keys.

Managed KMS addresses the fundamental challenge of data sovereignty: encryption is necessary, but the security of encryption depends entirely on key protection. This service ensures that your master keys never leave the HSM in the clear, that their lifecycle is audited, and that access is governed by granular policies - all on a SecNumCloud-qualified French 100% infrastructure.

Compatible with industry standards (KMIP 2.1PKCS#11REST API), it integrates natively with the entire Temple and third-party Cloud application ecosystem, with no proprietary lock-in.

Our compliance procedures

Our Managed KMS offering is HDS and ISO 27 001 certified

The benefits of Cloud Temple's Managed KMS offering

Total sovereignty

Dual technological and geographical control
Guarantee that your keys and data remain under French control, with Cosmian KMS and Cloud Temple (SecNumCloud), without dependence on foreign suppliers.

Enhanced physical security

Root of inviolable trust
Protect master keys in a FIPS 140-3 Level 3 certified HSM, ensuring that cryptographic material never leaves the HSM in the clear, even for administrators.

Interoperability and flexibility

Open standards and various key models
Support KMIP 2.1 for easy integration with your applications and enable BYOK, HYOK or internal generation, depending on your control and governance needs.

Simplified operation

Zero Ops with Cloud Temple integration
Benefit from fully managed deployment, HA, updates and monitoring, with native integration to Object Storage, Managed Kubernetes, Managed SIEM and Isolated Private Network.

Key features of our Managed KMS

Key lifecycle management
Secure key creation, activation, deactivation, revocation and destruction according to the KMIP 2.1 standard. Status: Pre-Active → Active → Deactivated → Compromised → Destroyed.

HSM root of trust (Thales Luna)
Master KEKs (Key Encryption Keys) are generated and stored in the Thales Luna HSM (FIPS 140-3 Level 3). Application keys are “wrapped” by the HSM KEK.

Supported key types
AES-128/192/256, RSA-2048/3072/4096, EC (P-256, P-384, P-521), Ed25519, Ed448, X25519, ChaCha20.

Cryptographic operations
Encryption/decryption (AES-GCM, AES-CBC, RSA-OAEP, ECIES), signature/verification (ECDSA, EdDSA, RSA-PSS), wrapping/unwrapping (Key Wrapping RFC 3394).

API REST & KMIP 2.1
Native JSON REST interface + support for the KMIP 2.1 protocol (OASIS standard) for interoperability with KMIP-compatible applications.

PKCS#11 Interface
PKCS#11 interface for applications using this industry standard (software HSM, OpenSSL integrations, Java JCA/JCE).

BYOK (Bring Your Own Key)
Import of external key material into the KMS with wrapping by KEK HSM. Full control of key origin.

HYOK (Hold Your Own Key)
The keys remain under the exclusive control of the customer (in their own HSM or perimeter); the KMS only acts as a proxy for cryptographic operations.

Automatic key rotation
Key-configurable rotation policies (lifetime, fixed-date rotation). Transparent rekeying without application interruption.

Access control (ABAC)
Attribute-Based Access Control: granular policies by client, application, operation and perimeter.

Strong authentication
OIDC/JWT (integration with existing identity providers) and client TLS certificate authentication (mTLS).

Unchanging audit trail
Logging of all cryptographic operations (who, what, when, on which key) with signed timestamps. Export to centralised log sinks.

Technical specifications

Managed KMS
Root of material confidence Thales Luna HSM - FIPS 140-3 Level 3
Dual sovereignty French KMS (Cosmian) + French infrastructure (Cloud Temple)
Open standard KMIP 2.1 (OASIS) - guaranteed interoperability
High availability Active/active multi-AZ cluster
Traceability Exhaustive audit trail of all key operations
Key modes BYOK, HYOK, internal generation

Do you have a sovereign encryption or cryptographic compliance project? Let's talk.

Do you want to centralise the governance of your keys (BYOK/HYOK), protect your Kubernetes secrets (etcd) or comply with strict regulatory requirements (LPM, NIS2, DORA, PCI-DSS) with a tamper-proof hardware root of trust? Our security architects can help you scale your Cosmian KMS cluster and your Thales Luna HSM infrastructure on our SecNumCloud-qualified cloud.

Tell us what's at stake in your project using this form: we'll get back to you quickly to design the cryptographic foundation that's right for your applications.

Merci de confirmer que vous n’êtes pas un robot
I consent to Cloud Temple storing and processing the personal information submitted above in order to respond accurately to my request. * mandatory fields

Use cases

Cloud Temple's MAnaged KMS sovereign product for application encryption

Sovereign application encryption (Envelope Encryption)

Context : A SaaS application stores sensitive customer data in the Object Storage Cloud Temple and needs to ensure that it is protected even if the database is compromised.

Solution: Each customer has a unique DEK, protected by a KEK in the Managed KMS/HSM, applying envelope encryption.

Profit : Data remains inaccessible without KMS keys, ensuring a high level of security.

Cloud Temple's sovereign Managed KMS product for RGPD compliance

RGPD Compliance - Cryptographic right to be forgotten

Context : The company must be able to permanently delete a user's data without altering the database.

Solution: Destruction of the corresponding DEK in the Managed KMS, making all the data encrypted by this key irretrievably inaccessible.

Profit : Simplified RGPD compliance, with an effective and secure right to be forgotten.

Cloud Temple's MAnaged KMS sovereign product for protecting kubernetes secrets

Protection of Kubernetes secrets (etcd encryption)

Context : Kubernetes secrets contain sensitive information (passwords, tokens, certificates) which must never be stored in clear text.

Solution: Managed Kubernetes encrypts secrets via the KMS provider v2, with Kubernetes DEKs wrapped by a KEK in the Managed KMS.

Profit : Robust protection of secrets, ensuring that no sensitive information is exposed in etcd.

Frequently asked questions

No, the separation of responsibilities is strict. 

The architecture ensures that Cloud Temple only has access to the control plane (the infrastructure). The cryptographic material of your master keys (KEK) never leaves the Thales Luna HSM unencrypted, even for our administrators or during backups. Your application keys (DEK) are “wrapped” (encrypted) by the HSM. You retain exclusive control over the data plan.

No, the network is totally isolated. 

The endpoints of the REST API, the KMIP 2.1 protocol and the PKCS#11 interface are accessible exclusively from your Cloud Temple private network. No public exposure is possible, which drastically reduces the attack surface.

 The hardware root of trust and the SLA. 

In a production environment (multi-AZ), the service is based on a true hardware root of trust: a dedicated Thales Luna Network HSM certified to FIPS 140-3 Level 3, with an SLA of 99.90%. In a Dev/Test environment (mono-AZ), to optimise costs, the cryptographic backend is based on a software HSM (SoftHSM2) or shared access, and is not subject to any availability commitment (SLA).

The destruction of a key is definitive and irreversible. 

To avoid any industrial tragedy, a destruction operation requires a “double approval” process. This is crucial because if you destroy a master key (KEK) in the HSM, all the data encrypted by the application keys (DEK) protected by this KEK will become permanently inaccessible.

Yes, “Hold Your Own Key” mode is supported. 

Managed KMS allows you to leave your keys under your exclusive control, for example in your own HSM hosted on-premises. In this case, the Cloud Temple KMS acts only as a proxy for cryptographic operations. Please note, however, that this mode requires your HSM to be accessible from the Cloud Temple network (via IPsec VPN or dedicated interconnection).

Continuous reversibility, without proprietary locking. 

Because the service is based on the KMIP 2.1 (OASIS) open standard, your keys remain your property and can be exported at any time, in self-service, in KMIP/JSON format. You can then re-import them into any other compatible KMS on the market. On termination, we carry out a secure cryptographic destruction (zero-fill HSM and database) within 7 days, and issue a certificate of destruction.

Can't find the answer to your question?
Contact our teams
Contact us
To find out more
Technical documentation Contact us

Cookie policy

We use cookies to give you the best possible experience on our site, but we do not collect any personal data.

Audience measurement services, which are necessary for the operation and improvement of our site, do not allow you to be identified personally. However, you have the option of objecting to their use.

For more information, see our privacy policy.

Authorise Refuse