CyberVault KMS Architecture
This page explains the architecture of the Securosys CyberVault KMS. It gives an overview of the different components and services that operation teams need to deploy.
CyberVault KMS is a microservice-oriented control plane for HSM-backed cryptography. CyberVault KMS sits on top of Securosys Primus HSM and provides a web UI, API gateway, and a set of Go services for identity, key management, certificate management, KMIP administration, AI-assisted operations, discovery, and compliance. While these surrounding services provide additional functionality, the core cryptographic operations remain inside the secure, tamper-protected HSM.
System Overview
CyberVault KMS sits between human operators, business applications, and the HSM-backed cryptographic backend. The following diagram shows the high-level architecture view. It highlights the main building blocks, optional modules, and the relationship between them.
| Actor / System | Purpose |
|---|---|
| KMS Users | Log in to the dashboard, manage users, partitions, keys, certificates, alerts, and runtime settings |
| Business applications | Consume keys and certificates through the API providers (TSB, KMIP, JCE, PKCS#11, MSCNG) |
| CyberVault KMS | Control plane that manages cryptographic assets and related policy |
| Primus HSM / CloudHSM | Secure, tamper-protected store for keys, certificates, and data objects |
CyberVault KMS Components
CyberVault KMS consists of three main parts: the Key Manager, the TSB, and the KMIP Server. These are deployed as individual services.
| Component | Purpose |
|---|---|
| Key Manager | Web-based management console for keys, certificates, policies, and compliance monitoring. Provides a dashboard with real-time HSM metrics, lifecycle actions, approval workflows, and audit visibility. |
| REST API (TSB) | Connects the KMS to the HSM, by translating from REST to JCE. |
| KMIP Server | Optional service that enables business applications to access the HSM keystore through the industry-standard KMIP API. Translates from KMIP to JCE. |
Key Manager Components
The Key Manager in turn is deployed as multiple microservices, each serving a specific function.
Legend:
- Mandatory: Core services that are required in every CyberVault KMS deployment.
- Optional: Additional microservices that can be deployed if their feature is desired. Included in the CyberVault KMS product bundle.
- Paid Add-On: Additional features/services that require a paid license.
| Component | Purpose |
|---|---|
| Dashboard | Web-based administration interface for users, keys, certificates, partitions, alerts, discovery, and compliance features |
| Authentication and Access Control | Handles sign-in and access to the KMS. Supports both local authentication (password and optional TOTP) as well as SSO through OIDC IdPs. Separate roles enable role based access control (RBAC). |
| Key Management Core | Manages key lifecycle operations, certificate management, and other cryptographic administration tasks. |
| MCP / AI Assistant | Optional MCP microservice for interacting with the KMS and the HSM through natural language AI assistance. |
| Discovery | Optional microservice for scanning endpoints to identify certificates, TLS posture, and create a cryptographic inventory. |
| Compliance | Optional microservice for assessing policy, compliance posture, and PQC readiness. |
| OAuth / OIDC IdP | Optional human authentication source such as Microsoft Entra ID, GitHub, or Keycloak |
The exact deployed topology depends on the selected deployment mode and licensed features.
What This Architecture Means
The microservice-based architecture separates key protection, key management, and application integration into separate layers.
-
Keys stay inside the HSM. CyberVault KMS does not turn the web application into a software keystore. Keys are still generated, stored, and used inside the secure boundary of the HSM.
-
Key Manager is the control plane. The Key Manager adds governance, visibility, approvals, and lifecycle control on top of the HSM.
-
Applications integrate without going through the Key Manager. Business applications don't use the Key Manager and its web-based dashboard for runtime cryptographic operations. Instead, they continue to access the HSM keystore through the native API providers (JCE, PKCS#11, MSCNG), the TSB REST API, or through the KMIP Server.
-
Optional modules extend the core KMS. Operators only need to deploy and manage the services they require. MCP, Discovery, Compliance, and KMIP Server provide additional optional functionality.