provisioning/config/kms.toml

# KMS Service Configuration
# Simplified to support only Age (development) and Cosmian KMS (production)

[kms]
# Backend selection based on environment
# Options: "age" (development, local) or "cosmian" (production, enterprise)
dev_backend = "age"
prod_backend = "cosmian"

# Current environment (dev or prod)
# Can be overridden with PROVISIONING_ENV environment variable
environment = "${PROVISIONING_ENV:-dev}"

# Service configuration
host = "0.0.0.0"
port = 8082
log_level = "info"

[kms.age]
# Age encryption for development
# Fast, offline, no server required
# Generate keys with: age-keygen -o private_key.txt

# Public key path (for encryption)
public_key_path = "~/.config/provisioning/age/public_key.txt"

# Private key path (for decryption)
private_key_path = "~/.config/provisioning/age/private_key.txt"

# Usage notes:
# - Best for local development and testing
# - No network dependency
# - Keys are stored locally
# - Manual key rotation (generate new keys and update config)

[kms.cosmian]
# Cosmian KMS for production
# Enterprise-grade, confidential computing support, zero-knowledge architecture

# Cosmian KMS server URL
# Can be overridden with COSMIAN_KMS_URL environment variable
server_url = "${COSMIAN_KMS_URL:-https://kms.example.com}"

# API key for authentication
# MUST be set via COSMIAN_API_KEY environment variable (never hardcode)
api_key = "${COSMIAN_API_KEY}"

# Default master key ID for encryption operations
# This key should be created in Cosmian KMS before use
default_key_id = "provisioning-master-key"

# TLS certificate verification
# Set to false only for development/testing with self-signed certs
tls_verify = true

# Confidential computing options (requires SGX/SEV hardware)
use_confidential_computing = false

# Key rotation policy
# Cosmian KMS handles rotation server-side based on these settings
[kms.cosmian.rotation]
# Automatic key rotation interval (in days)
# 0 = disabled (manual rotation only)
key_rotation_days = 90

# Retain old key versions for decryption
retain_old_versions = true

# Maximum number of key versions to retain
max_versions = 5

# Usage notes:
# - Requires Cosmian KMS server (cloud or self-hosted)
# - Best for production environments
# - Supports confidential computing (TEE/SGX/SEV)
# - Server-side key rotation
# - Audit logging and compliance features

# Example backend configurations for different environments
[kms.profiles]

[kms.profiles.development]
backend = "age"
public_key_path = "~/.config/provisioning/age/public_key.txt"
private_key_path = "~/.config/provisioning/age/private_key.txt"

[kms.profiles.staging]
backend = "cosmian"
server_url = "https://kms-staging.example.com"
default_key_id = "provisioning-staging-key"
tls_verify = true

[kms.profiles.production]
backend = "cosmian"
server_url = "https://kms.example.com"
default_key_id = "provisioning-master-key"
tls_verify = true
use_confidential_computing = true

# Quick Start Guide
#
# Development (Age):
# 1. Generate Age keys:
#    age-keygen -o ~/.config/provisioning/age/private_key.txt
#    age-keygen -y ~/.config/provisioning/age/private_key.txt > ~/.config/provisioning/age/public_key.txt
#
# 2. Set environment:
#    export PROVISIONING_ENV=dev
#
# 3. Start KMS service:
#    cargo run --bin kms-service
#
# Production (Cosmian):
# 1. Set up Cosmian KMS server (or use hosted service)
#
# 2. Create master key in Cosmian KMS
#
# 3. Set environment variables:
#    export PROVISIONING_ENV=prod
#    export COSMIAN_KMS_URL=https://your-kms.example.com
#    export COSMIAN_API_KEY=your-api-key-here
#
# 4. Start KMS service:
#    cargo run --bin kms-service