Hanzo KMS
Key Management Service for secrets, API keys, and encryption
Hanzo KMS
Hanzo KMS is an open-source Key Management Service for managing secrets, API keys, certificates, and encryption keys across infrastructure. It provides enterprise-grade secret management with MPC signer integration.
Features
- Secrets Management: Store and manage secrets, API keys, certificates
- Environment Sync: Sync secrets across development, staging, production
- MPC Integration: Threshold signatures via Hanzo MPC Signer
- Dynamic Secrets: Auto-rotating database credentials (PostgreSQL, MySQL, MongoDB, Redis, ClickHouse)
- PAM Discovery: Automated discovery of privileged accounts and resources with Active Directory support
- Certificate Management: PKI certificate lifecycle with metadata, Sectigo/DigiCert CA integration
- Secret Versioning: Full history and rollback
- Audit Logging: Complete access audit trail
- RBAC: Role-based access control with granular project permissions
- Sub-Organizations: Hierarchical organization management with membership delegation
- Kubernetes Operator: Native K8s secret injection
Architecture
┌─────────────────────────────────────────────────────────────────────────┐
│ HANZO KMS │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ KMS Control Plane │ │
│ │ ┌──────────┬─────────────┬──────────────┬─────────────────┐ │ │
│ │ │ Policy │ Approvals │ Audit Log │ Key Registry │ │ │
│ │ └────┬─────┴──────┬──────┴───────┬──────┴───────┬─────────┘ │ │
│ └───────┼────────────┼──────────────┼──────────────┼─────────────┘ │
│ │ │ │ │ │
│ ┌───────▼────────────▼──────────────▼──────────────▼─────────────┐ │
│ │ Unified Signing API │ │
│ └───────┬────────────┬──────────────┬──────────────┬─────────────┘ │
│ │ │ │ │ │
│ ┌───────▼───┐ ┌─────▼─────┐ ┌─────▼─────┐ ┌─────▼─────┐ │
│ │ HSM │ │ MPC │ │ Software │ │ AWS/ │ │
│ │ Signer │ │ Signer │ │ Signer │ │ GCP │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Hanzo MPC Cluster (Private BFT Chain) │ │
│ │ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │ │
│ │ │ Node 0 │ │ Node 1 │ │ Node 2 │ │ Node 3 │ │ Node 4 │ │ │
│ │ │ share₀ │ │ share₁ │ │ share₂ │ │ share₃ │ │ share₄ │ │ │
│ │ │Ed25519 │ │Ed25519 │ │Ed25519 │ │Ed25519 │ │Ed25519 │ │ │
│ │ │ML-DSA │ │ML-DSA │ │ML-DSA │ │ML-DSA │ │ML-DSA │ │ │
│ │ └────────┘ └────────┘ └────────┘ └────────┘ └────────┘ │ │
│ │ Dual-cert finality: Ed25519 + ML-DSA-65 (3-of-5) │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘Endpoints
| Environment | URL |
|---|---|
| Production | https://kms.hanzo.ai |
| Staging | https://stg.kms.hanzo.ai |
Quick Start
Development Setup
cd ~/work/hanzo/kms
# Copy environment
cp .env.dev.example .env
# Start with Docker Compose
docker compose -f docker-compose.dev.yml up
# Or run separately
cd backend && npm run dev
cd frontend && npm run devCreate a Secret
const kms = new HanzoKMS({
apiKey: process.env.HANZO_KMS_TOKEN
})
// Create a secret
await kms.secrets.create({
environment: 'production',
path: '/api-keys',
key: 'STRIPE_SECRET',
value: 'sk_live_xxx'
})Retrieve Secrets
// Get single secret
const secret = await kms.secrets.get({
environment: 'production',
path: '/api-keys',
key: 'STRIPE_SECRET'
})
// Get all secrets in path
const secrets = await kms.secrets.list({
environment: 'production',
path: '/api-keys'
})Secret Types
Static Secrets
Standard key-value secrets:
await kms.secrets.create({
key: 'DATABASE_URL',
value: 'postgres://user:pass@host:5432/db',
type: 'static'
})Dynamic Secrets
Auto-rotating credentials:
// PostgreSQL dynamic secret
await kms.dynamicSecrets.create({
name: 'postgres-readonly',
type: 'postgresql',
config: {
host: 'db.example.com',
port: 5432,
database: 'myapp',
adminUsername: 'admin',
adminPassword: 'xxx'
},
ttl: '1h',
maxTtl: '24h'
})
// Lease a credential
const lease = await kms.dynamicSecrets.lease('postgres-readonly')
console.log(lease.username, lease.password) // Auto-generated, auto-rotatedSigning Keys (MPC)
Create keys backed by MPC threshold signatures:
// Create MPC-backed signing key
const key = await kms.keys.create({
name: 'ethereum-hot-wallet',
keyType: 'secp256k1',
signer: 'mpc',
scheme: '2-of-3',
policy: {
maxDailyTransactions: 100,
maxTransactionValue: '10000000000000000000' // 10 ETH
}
})
console.log('Address:', key.ethAddress)
// Sign transaction
const signature = await kms.keys.sign(key.id, {
chain: 'ethereum',
transaction: {
to: '0x...',
value: '1000000000000000000'
}
})Environment Management
Sync Environments
# CLI: Pull secrets to .env
hanzo-kms pull --env production --output .env
# CLI: Push secrets from .env
hanzo-kms push --env staging --input .envEnvironment Inheritance
production
└── staging (inherits, can override)
└── development (inherits, can override)Kubernetes Integration
Install Operator
helm repo add hanzo https://charts.hanzo.ai
helm install hanzo-kms-operator hanzo/kms-operatorInject Secrets
apiVersion: secrets.hanzo.ai/v1
kind: HanzoSecret
metadata:
name: api-secrets
spec:
environment: production
path: /api-keys
target:
name: api-secrets
type: kubernetes.io/OpaqueAccess Control
Roles
| Role | Permissions |
|---|---|
| Admin | Full access |
| Developer | Read/write specific paths |
| Viewer | Read-only access |
| Machine | Programmatic access only |
Policies
await kms.policies.create({
name: 'frontend-team',
rules: [
{
path: '/frontend/*',
permissions: ['read', 'write']
},
{
path: '/backend/*',
permissions: ['read']
}
]
})Audit Logging
All secret access is logged:
const logs = await kms.audit.list({
startTime: '2024-01-01',
endTime: '2024-01-31',
actions: ['read', 'write', 'delete']
})
for (const log of logs) {
console.log({
timestamp: log.timestamp,
user: log.userId,
action: log.action,
path: log.secretPath,
ip: log.ipAddress
})
}MPC Signer Integration
Hanzo KMS integrates with Hanzo MPC for threshold signatures. MPC nodes run their own private BFT blockchain (ConsensusKV) with dual-certificate finality -- Ed25519 (classical) and ML-DSA-65 (post-quantum, FIPS 204).
// Configure MPC backend
await kms.config.update({
mpc: {
endpoint: 'https://mpc.hanzo.ai',
threshold: '3-of-5',
kvBackend: 'consensus', // Private BFT blockchain (default)
consensusChainId: 'm-chain',
nodeEndpoints: [
'https://mpc-node0.hanzo.ai',
'https://mpc-node1.hanzo.ai',
'https://mpc-node2.hanzo.ai',
'https://mpc-node3.hanzo.ai',
'https://mpc-node4.hanzo.ai'
]
}
})TFHE-KMS Bridge
KMS includes a TFHE bridge for fully homomorphic encryption operations backed by MPC threshold decryption:
// Create TFHE key via MPC DKG
const tfheKey = await kms.keys.create({
name: 'encrypted-policy-key',
keyType: 'tfhe-uint64',
signer: 'mpc-tfhe',
scheme: '3-of-5'
})
// Encrypt data with public key (KMS-side, no MPC needed)
const encrypted = await kms.tfhe.encrypt(tfheKey.id, { value: 1000000 })
// Threshold decrypt (requires t-of-n MPC shares)
const decrypted = await kms.tfhe.decrypt(tfheKey.id, encrypted.ciphertext)Endpoints
| Endpoint | Backend | Description |
|---|---|---|
mpc.hanzo.ai | Consensus | Managed MPC (3-of-5, dual-cert PQ finality) |
mpc.lux.network | Consensus | Decentralized MPC (same cluster, Lux subnet integration) |
See MPC Consensus for details on the private blockchain and MPC Authentication for auth integration.
API Reference
Secrets
POST /api/v1/secrets- Create secretGET /api/v1/secrets- List secretsGET /api/v1/secrets/:id- Get secretPATCH /api/v1/secrets/:id- Update secretDELETE /api/v1/secrets/:id- Delete secret
Keys
POST /api/v1/keys- Create signing keyGET /api/v1/keys/:id- Get key infoPOST /api/v1/keys/:id/sign- Sign with key
Dynamic Secrets
POST /api/v1/dynamic-secrets- Create dynamic secretPOST /api/v1/dynamic-secrets/:id/lease- Get credential leaseDELETE /api/v1/dynamic-secrets/:id/lease/:leaseId- Revoke lease
Next Steps
How all Hanzo services consume secrets from KMS
Machine Identity authentication for services
Kubernetes operator secret sync reference
How IAM uses KMS for secret management
How is this guide?
Last updated on