Skip to content
Documentation
Key Management Service

Thalassa Cloud Key Management Service (KMS)

Thalassa Cloud Key Management Service (KMS) is a regional cryptographic key management service for creating and using keys inside your organisation. Use KMS to protect data at rest, authenticate messages, sign documents and DNS records, and integrate with other Thalassa Cloud services such as Secrets Manager and DNS DNSSEC.

KMS is designed for envelope encryption: applications generate a data encryption key (DEK) locally, use KMS to wrap and unwrap the DEK, and keep bulk data off the KMS API. Direct encrypt and decrypt operations are also available for tooling and small payloads.

Availability

Your organisation must have KMS enabled. If KMS is not enabled for your organisation, all KMS API calls return 403 Forbidden.

KMS operates per cloud region. Each region must have KMS available in your deployment. If a region is not configured for KMS, API calls targeting that region return 503 Service Unavailable. Use GET /v1/kms/summary to check feature status and per-region availability before you create keys.

What you can do with KMS

CapabilityDescription
Encrypt and decryptProtect secrets, application payloads, and data encryption keys
Sign and verifyDNSSEC, code signing, attestations, and custom signing workflows
HMACMessage authentication for APIs and application data
Export public keysOffline signature verification or client-side encryption workflows
Import key material (BYOK)Bring keys from on-premises HSMs or other clouds

Core concepts

ConceptDescription
KMS keyA first-class resource scoped to an organisation and region, with optional project scope
Key versionEach key has versions 1…N; new crypto operations use the latest version by default
Regional modelKeys exist in exactly one region; crypto calls must target that region’s API path
Organisation vs project keysWithout a project context, keys are organisation-scoped; with a project context, keys belong to that project

Keys are immutable after creation: name, description, labels, and annotations are set at create time and cannot be changed later.

Documentation

Getting started
Check availability and create your first key
Key types
Choose the right algorithm for your use case
Creating keys
Platform-generated keys and create-time options
Bring your own key
Import externally generated key material
Encrypt and decrypt
Envelope encryption and direct crypto
Sign, verify, and HMAC
Asymmetric signing and message authentication
Rotation
Manual and automatic key rotation
Key lifecycle
Disable, enable, delete, and recovery
Access control
IAM roles and permissions for KMS keys
Integrations
Secrets Manager and DNS DNSSEC
Best practices
Security guidance for production workloads
API reference
Endpoints and request requirements

Key lifecycle overview 

Create → Active
           ├─ Disable → Disabled → Enable → Active
           ├─ Rotate → Active (new version)
           └─ Delete → Pending deletion (30 days) → [permanent deletion]
                         └─ Cancel deletion → Active

See Key lifecycle for details on each state and operation.

Related documentation