Sold by: COSMIAN
Deployed on AWS
This Customer Managed Key Management System has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
Overview
This is a repackaged software wherein additional charges apply for extended support.
Cosmian kms is a modern, cloud-ready key management system for your encryption keys and certificates, running inside a Cosmian vm - a verifiable and confidential virtual machine.
This ensures that your KMS remains entirely confidential, at rest and in use, and is verifiable (no hardware of software tampering).
Cosmian kms delivers unparalleled data security for your organization with an on-the-fly encryption/decryption keys solution, empowering sovereignty, security, and efficiency.
-
Protect your data sovereignty with our independent security solution, eliminating reliance on public cloud providers.
-
Strengthen your security posture by taking charge of sensitive data encryption, including workspace, R&D data, HR information, and electronic communications.
-
Streamline your IT system and server management with automated processes, empowering your system administrators to boost productivity and efficiency in infrastructure management.
What is in Cosmian kms? Modern lifecycle management for keys and certificates : Cosmian kms offer cutting-edge features for managing encryption keys and certificates throughout their lifecycle.
- Key storage
- Key generation
- Key rotation
- Key distribution
- Key usage policies
Advanced Public Key Infrastructure integration : Integrating seamlessly with external entities, the Cosmian kms facilitates Public Key Infrastructure management beyond the confines of your organization. Whether it's leveraging third-party actors or overseeing key governance, we ensure a streamlined and secure process.
Embedding standard and modern encryption libraries : Embracing both standard and contemporary cryptographic algorithms, the Cosmian kms boasts an unparalleled breadth of coverage.
- FIPS 140-3 validated encryption libraries
- Covercrypt: Post-quantum resistance & access policy
- Findex: search encryption
Highlights
- Advanced Key Management for crypto-agility / Enhanced Data Protection / Zero Trust KMS Strategy / Scalability and Flexibility
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
c6a.xlarge Recommended | $3.04 |
r6a.xlarge | $3.04 |
c6a.2xlarge | $6.08 |
r6a.12xlarge | $36.48 |
r6a.metal | $145.92 |
r6a.24xlarge | $72.96 |
c6a.4xlarge | $12.16 |
m6a.metal | $145.92 |
r6a.32xlarge | $97.28 |
m6a.48xlarge | $145.92 |
Vendor refund policy
We apply the standard refund policy from AWS which states that refund can be done directly through AWS within the first 48 hours. After that no refund will be taken into account.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
[5.22.0] - 2026-05-06
- Features (HSM Linux aarch64,Docker CORS defaults)
- Security (Integer overflow checks, OTLP TLS enforcement, Log sanitization, SECURITY.md,Hardening fixes)
- Bug Fixes : KMIP Interoperability (FortiGate / KMIP 1.0-1.4) HSM (Sensitive (non-extractable) keys) Server Concurrency & Performance (Span-across-await crash,AWS XKS bottleneck,Unwrap cache,SQLite concurrency) Auth / Session (OIDC/PKCE SameSite regression,PKCS#12 in FIPS mode)
[5.21.0] - 2026-04-21
- Features : PKCS#11 Enhancements (cosmian_pkcs11_verify diagnostic binary,Oracle TDE wallet migration support, Standalone PKCS#11 ZIP package) Web UI (Formalised connection states,No-auth warning banner,mTLS login page)
- Security (EXT2-1/A04-1,EXT2-2/A03-2,EXT2-3/A03-3,EXT2-4/A04-3,EXT2-5/A04-2,EXT1-1,A01-1/A05-1,A07-1,A07-2,A07-4,A07-5,A08-2,A09-1,A09-2,A09-3,A10-2/A10-3,SSDF PW.5.1)
- Bug Fixes : Server / Auth (Stale session cookie warnings,Header crash on partial server-info response) Web UI (E2E test race condition, OAuth/OIDC)
[5.20.0] - 2026-04-03
- Features : Support Veeam Backup via KMIP 1.x Protocol
- Bug Fixes : TLS session resumption failure with mTLS clients
[5.19.0] - 2026-04-01
- Features : PostgreSQL HA cluster support with multi-host URLs OpenSSH PKCS#11 Support Web UI Enhancements - Sync UI with ckms
- Bug Fixes : JWT authentication Server Security and Configuration (TLS auth, HSM config) CLI Operations (destroy type-safety) HSM Operations (Server-side HSM destroy type guard,HSM destroy type-guard test assertion) Web UI (UI no-auth mode)
[5.18.0] - 2026-03-25
- Features : Post-Quantum Cryptography (ML-KEM + ML-DSA + SLH-DSA) Configurable Hybrid KEM merged into PQC Support of AWS Bring Your Own Key (BYOK) Oracle TDE HSM integration on Windows HSM multi-admin support with wildcard Migration to jsonwebtoken crate for JWT validation HMAC-SHA-1 and HMAC-SHA-224 Support Synology DSM NAS Volume Encryption Integration KMIP 1.0 XML Non-Regression Test Vectors Microsoft SQL Server External Key Management (EKM) ckms bench concurrency sweep with time limits PEM client certificate support in ckms arguments
- Bug Fixes AZURE BYOK : Fix Azure BYOK silent error when exporting a previously wrapped key Fix AWS BYOK silent when exporting a previously wrapped key CLI: bench and markdown subcommands are now visible in ckms --help CI: Fix intermittent ckms config parse error ("missing field http_config") CI (UI FIPS): Fix ERR_OSSL_EVP_UNSUPPORTED crash when running nix.sh --variant fips test ui LD_PRELOAD/OPENSSL_CONF/OPENSSL_MODULES from all pnpm invocations so Node.js uses the default OpenSSL provider while Rust/cargo builds remain FIPS-mode. CKA_ID missing on HSM-created keys HSM key lookup Non-admin users can now create KMS keys wrapped by the server-level key_encryption_key HSM/CLI: ckms sym keys unwrap -i hsm:::: no longer fails with "This key is sensitive and cannot be exported from the HSM" Fix Locate for mixed HSM + software key environments Server: HsmStore.find() now returns HSM keys to all authenticated users for read-only listing (previously required HSM admin), and populates basic attributes (algorithm, length, object type) from HSM metadata Locate page now correctly merges HSM keys (hsm:: prefix) into results Fix "State: Unknown" shown for all objects when clicking "Search Objects" with no filters UI E2E: New locate-hsm.spec.ts Playwright integration tests run against a real SoftHSM2 KMS
Additional details
Usage instructions
WARNING : The region east-us1 must not be used to deploy Cosmian products ! It is only present due to an AWS testing constraint but this region does not allow the deployment of confidential VM for the moment.
Make sure to enable the configuration related to AMD SEV-SNP option located in the advanced details tab within the marketplace deployment page.
As the Cosmian KMS is deployed on top of a Cosmian Verifiable VM, cosmian_vm_agent starts for the first time, it initializes several components:
- It generates a self-signed certificate and sets the CommonName of the certificate to the value of the machine hostname.
- It generates a LUKS container (/var/lib/cosmian_vm/container) and mounts it at /var/lib/cosmian_vm/data. Note that /var/lib/cosmian_vm/tmp is a tmpfs. It is encrypted but it should contain only volatile data since it is erased at each VM reboot. Data in this directory is encrypted due to the fact that the RAM is encrypted.
- It generates the TPM endorsement keys.
It is recommended to configure 1. and 2. on your own for production systems.
The certificate can be changed at will:
- Edit your DNS register to point to that VM.
- Create a trusted certificate using the method of your choice (e.g., Let's Encrypt) or use cosmian_certtool.
- Edit the cosmian_vm_agent configuration file to point to the location of the TLS certificate and private key.
The LUKS container can be regenerated using cosmian_fstool with your own size and password (to store by yourself in a secure location). It is recommended to use an additional backup disk to store the container. You can skip all these first startup steps by setting COSMIAN_VM_PREINIT=0 when starting cosmian_vm_agent.
Once the image is instantiated (on GCP, Azure, or AWS), the <code>cosmian_vm_agent</code> automatically starts as a systemd service when the VM boots.
You can now install any packages or applications you want on the VM.
Your VM is now set and ready.
Finally, please follow the deployment process to configure your KMS properly: https://docs.cosmian.com/deployment/cosmian_vm_kms/
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
This Cosmian Verifiable VM has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.