Skip to content
KeyRack

Commercial Licensing

KeyRack’s core is open source under AGPL-3.0-or-later. Commercial licensing is available for organizations that need enterprise features or wish to embed KeyRack without AGPL reciprocity obligations.

Commercial extensions (keyrack-commercial)

Section titled “Commercial extensions (keyrack-commercial)”
FeatureDescription
AWS KMS shimDrop-in replacement for AWS KMS — point SDK clients at KeyRack
Barbican shimDrop-in replacement for OpenStack Barbican
HA clusteringMulti-node high availability
Key poolingShared key pool management
Vendor HSM adaptersExtended HSM integrations
Management UIWeb-based administration
KMIP serverTenant-facing KMIP endpoint — roadmap
Escrow orchestrationKey escrow workflows — roadmap

AWS KMS shim

Section titled “AWS KMS shim”

The commercial AWS KMS shim accepts standard AWS SDK requests and translates them to KeyRack gRPC calls, so existing SDK clients (boto3, aws-sdk-go-v2, aws-sdk-java, etc.) talk to KeyRack-managed keys by changing a single endpoint URL:

# Before: point at AWS
AWS_ENDPOINT_URL: https://kms.us-east-1.amazonaws.com


# After: point at KeyRack's AWS KMS shim
AWS_ENDPOINT_URL: http://keyrack-aws-shim:8080

No application code changes. SigV4 is handled by the shim; crypto, policy, and audit run on KeyRack.

Already on AWS and only need visibility (not a full migration)? The FOSS keyrack-aws-proxy (AGPL, in the core repo) sits in front of real AWS KMS and tracks key metadata with zero code changes. See Brownfield migration.

Operation coverage

Section titled “Operation coverage”

Tested against real AWS SDK clients (aws-sdk-kms, boto3) in gated CI. Matrix is the intended operation set; parity notes are added as conformance results publish.

OperationTarget support
CreateKey, DescribeKey, ListKeysSupported
Encrypt, Decrypt, ReEncryptSupported
GenerateDataKey, GenerateDataKeyWithoutPlaintext, GenerateRandomSupported
Sign, VerifySupported
EnableKey / DisableKeySupported
EnableKeyRotation / DisableKeyRotation / GetKeyRotationStatusSupported
ScheduleKeyDeletion / CancelKeyDeletionSupported
CreateAlias / DeleteAlias / ListAliasesSupported
TagResource / UntagResource / ListResourceTagsSupported

Not in scope today: GCP Cloud KMS shim and Azure Key Vault shim (roadmap, not implemented).

Barbican shim

Section titled “Barbican shim”

The commercial Barbican shim exposes the OpenStack Barbican REST API and translates to KeyRack gRPC, so Cinder and Nova talk to KeyRack as if it were Barbican:

# cinder.conf
[key_manager]
backend = barbican
barbican_endpoint = http://keyrack-barbican-shim:9311

Authentication is via Keystone (delegated or live validation). The Barbican conformance matrix is deferred until the AWS conformance lane is solid.

When to choose commercial

Section titled “When to choose commercial”
  • You need AWS KMS or Barbican compatibility for brownfield migration without rewriting application code
  • You require multi-node HA or key pooling for production scale
  • You want to embed KeyRack in a proprietary product without AGPL source-sharing obligations
  • You need the management UI or vendor-specific HSM adapters

What’s in the open source core

Section titled “What’s in the open source core”

The AGPL core includes everything needed to run a sovereign KMS:

  • Key lifecycle, gRPC + REST APIs
  • Software, PKCS#11, Vault Transit, and KMIP client providers
  • Cedar authorization and NATS audit
  • SQLite and PostgreSQL storage
  • All FOSS demos (01, 02, 04, 06, 07)

Commercial shims and enterprise features are additive — they do not gate core KMS functionality.

Contact

Section titled “Contact”

For commercial licensing, HA deployment support, or enterprise evaluation:

Contact the KeyRack team for pricing and evaluation access to keyrack-commercial and commercial demos (03-aws-kms-shim, 05-hyok-aws-shim).

See also: Brownfield migration · Community / License