Hanzo

KMS

Encryption keys, secrets, and cryptographic operations for Hanzo Cloud -- the secrets control plane, Hanzo KMS.

KMS

Hanzo KMS is the secrets control plane for the platform. It stores and rotates secrets, manages encryption and signing keys, and is the one boundary every other service crosses to obtain sensitive material. Nothing else holds long-lived secrets in the clear.

What KMS Manages

TypeDescription
SecretsStatic key-value secrets (API keys, tokens, connection strings), versioned with full history and rollback.
Dynamic secretsShort-lived, auto-rotating credentials for PostgreSQL, MySQL, MongoDB, Redis, and ClickHouse.
Encryption keysSymmetric and asymmetric keys for encrypt/decrypt and wrap/unwrap operations.
Signing keysKeys backed by Hanzo MPC threshold signatures for custody and validator signing.
CertificatesPKI certificate lifecycle with CA integration.

KMS is zero-knowledge by design: values are encrypted at rest, access is governed by RBAC and policy, and every read and write is written to an immutable audit log.

Secrets and Cryptographic Operations

Secrets and key operations are served under /v1/kms on the gateway, or directly at kms.hanzo.ai. Authenticate with an API key (hk-...).

# Read a secret from an environment path
curl "https://api.hanzo.ai/v1/kms/secrets?environment=production&path=/api-keys" \
  -H "Authorization: Bearer hk-..."

Keys never leave the boundary. For signing and threshold operations, KMS delegates to MPC and returns only the signature -- the private key material is split across independent nodes and never reconstructed.

Kubernetes Secret Sync

For workloads on Kubernetes, the KMS operator syncs secrets into the cluster with the KMSSecret custom resource. Nothing is committed to git; the secret is pulled from KMS at reconcile time.

apiVersion: secrets.hanzo.ai/v1alpha1
kind: KMSSecret
metadata:
  name: hanzo-api-key
spec:
  secretStoreRef:
    name: kms-hanzo
  data:
    - secretKey: HANZO_API_KEY
      remoteRef:
        secretPath: /prod/api-keys
        secretKey: primary
  • API Keys -- store and rotate hk- keys in KMS for production
  • MPC -- threshold signing backend for KMS-managed keys
  • IAM -- identity that authorizes KMS access
  • Zero Trust -- private access to services that consume secrets
  • Hanzo KMS -- full service reference and self-hosting guide

How is this guide?

Last updated on

On this page