Sold by: COSMIANÂ
Deployed on AWS
This Customer Managed Key Management System has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
Overview
This is a repackaged software wherein additional charges apply for extended support.
Cosmian kms is a modern, cloud-ready key management system for your encryption keys and certificates, running inside a Cosmian vm - a verifiable and confidential virtual machine.
This ensures that your KMS remains entirely confidential, at rest and in use, and is verifiable (no hardware of software tampering).
Cosmian kms delivers unparalleled data security for your organization with an on-the-fly encryption/decryption keys solution, empowering sovereignty, security, and efficiency.
-
Protect your data sovereignty with our independent security solution, eliminating reliance on public cloud providers.
-
Strengthen your security posture by taking charge of sensitive data encryption, including workspace, R&D data, HR information, and electronic communications.
-
Streamline your IT system and server management with automated processes, empowering your system administrators to boost productivity and efficiency in infrastructure management.
What is in Cosmian kms? Modern lifecycle management for keys and certificates : Cosmian kms offer cutting-edge features for managing encryption keys and certificates throughout their lifecycle.
- Key storage
- Key generation
- Key rotation
- Key distribution
- Key usage policies
Advanced Public Key Infrastructure integration : Integrating seamlessly with external entities, the Cosmian kms facilitates Public Key Infrastructure management beyond the confines of your organization. Whether it's leveraging third-party actors or overseeing key governance, we ensure a streamlined and secure process.
Embedding standard and modern encryption libraries : Embracing both standard and contemporary cryptographic algorithms, the Cosmian kms boasts an unparalleled breadth of coverage.
- FIPS 140-3 validated encryption libraries
- Covercrypt: Post-quantum resistance & access policy
- Findex: search encryption
Highlights
- Advanced Key Management for crypto-agility / Enhanced Data Protection / Zero Trust KMS Strategy / Scalability and Flexibility
Unlock automation with AI agent solutions
Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
c6a.xlarge Recommended | $1.52 |
c6a.16xlarge | $24.32 |
r6a.8xlarge | $12.16 |
r6a.2xlarge | $3.04 |
c6a.12xlarge | $18.24 |
c6a.24xlarge | $36.48 |
m6a.8xlarge | $12.16 |
r6a.4xlarge | $6.08 |
c6a.metal | $72.96 |
c6a.48xlarge | $72.96 |
Vendor refund policy
We apply the standard refund policy from AWS which states that refund can be done directly through AWS within the first 48 hours. After that no refund will be taken into account.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
5.11.0 - 2025-10-28Features :
- Add Crypt2pay HSM integration with a dedicated loader crate
- Generic "other" HSM support using Softhsm2 compatibility
- Enable empty (null) password/pin HSM login via special handling in slot management
- Add Windows/macOS installers with cargo packager tool Bug Fixes :
- (google_cse) Load RSA private as PKCS8 or PKCS1 formatWARNINGGmail CSE users: Versions 5.8/5.9 and 5.10 contain a blocking issue with Gmail Client-Side Encryption support (issue loading PKCS#8 RSA private key). Please upgrade to version 5.11.0 or later to ensure proper Gmail CSE functionality. Documentation :
- Add KMIP current support Build :
- (deps) Bump esbuild
5.10.0 - 2025-10-21Features :
- Add HSM key search with basic filters
- Support wrapping SecretData object in export
- Support DeriveKey KMIP operation
- Add option to enable automatic unwrapping for Get and Export requests Bug Fixes :
- Enable workspace clippy lints for all crates
- Release HSM tests
- Keep error info on DBerror
- React CVE deps
- Remove min_specialization feature
- HSM key search fails after encountering incompatible key
- (windows) Socket server listen on localhost instead of 0.0.0.0 Documentation :
- Add SmartCard HSM to README.md
- Added documentation for Smartcard HSM and SoftHSM2
- Add server configs examples Testing :
- Filter tests with credentials and prerequisites
- Enable Google CSE on workspace Miscellaneous Tasks :
- Add CLA Assistant GitHub Action configuration
- Create CLA.md and CONTRIBUTING.md
- About forks, skip Google CSE tests and docker build
- About dependabot branches, skip Google CSE tests and docker build
- Move CLA assistant workflow to correct path
- Skip public doc rebuild on forks and dependabot branches
- Skip CLA assistant on dependabot branches
- Integrate CLA signature in main_base.yml workflow - 2
- Trigger on issue comment
- Use an unprotected branch for CLA signing
- Remove trigger on pull_request_target
- Upgrade toolchain to nightly 2025-09-15 Build :
- (deps) Bump actions/checkout from 4 to 5
- (deps) Bump the npm_and_yarn group across 1 directory with 4 updates
Additional details
Usage instructions
WARNING : The region east-us1 must not be used to deploy Cosmian products ! It is only present due to an AWS testing constraint but this region does not allow the deployment of confidential VM for the moment.
Make sure to enable the configuration related to AMD SEV-SNP option located in the advanced details tab within the marketplace deployment page.
As the Cosmian KMS is deployed on top of a Cosmian Verifiable VM, cosmian_vm_agent starts for the first time, it initializes several components:
- It generates a self-signed certificate and sets the CommonName of the certificate to the value of the machine hostname.
- It generates a LUKS container (/var/lib/cosmian_vm/container) and mounts it at /var/lib/cosmian_vm/data. Note that /var/lib/cosmian_vm/tmp is a tmpfs. It is encrypted but it should contain only volatile data since it is erased at each VM reboot. Data in this directory is encrypted due to the fact that the RAM is encrypted.
- It generates the TPM endorsement keys.
It is recommended to configure 1. and 2. on your own for production systems.
The certificate can be changed at will:
- Edit your DNS register to point to that VM.
- Create a trusted certificate using the method of your choice (e.g., Let's Encrypt) or use cosmian_certtool.
- Edit the cosmian_vm_agent configuration file to point to the location of the TLS certificate and private key.
The LUKS container can be regenerated using cosmian_fstool with your own size and password (to store by yourself in a secure location). It is recommended to use an additional backup disk to store the container. You can skip all these first startup steps by setting COSMIAN_VM_PREINIT=0 when starting cosmian_vm_agent.
Once the image is instantiated (on GCP, Azure, or AWS), the <code>cosmian_vm_agent</code> automatically starts as a systemd service when the VM boots.
You can now install any packages or applications you want on the VM.
Your VM is now set and ready.
Finally, please follow the deployment process to configure your KMS properly: https://docs.cosmian.com/deployment/cosmian_vm_kms/Â
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
This Cosmian Verifiable VM has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
Cosmian KMS - RHEL 9 (AMD SEV-SNP)
By COSMIAN
This Customer Managed Key Management System has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
This Cosmian Confidential AI has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
This Cosmian Verifiable VM has charges associated with the use of the software from UAT to Production and also standard support from Cosmian.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.