Skip to content
KeyRack

Brownfield Migration

You don’t have to rewrite anything to start with KeyRack. There are two independent migration axes: caller migration (how your apps reach a KMS) and backend migration (where a key’s material physically lives). KeyRack treats logical key identity (LID) as independent of the physical backend, so you can move along either axis incrementally.

Step 1 — Gain visibility, still on AWS (FOSS)

Section titled “Step 1 — Gain visibility, still on AWS (FOSS)”

The open-source keyrack-aws-proxy (AGPL, in the core repo) sits in front of real AWS KMS. Your existing AWS SDK clients keep working unchanged; the proxy forwards crypto to AWS while recording key metadata, building a dependency graph, and emitting a verifiable audit trail.

# Point any AWS SDK at the FOSS proxy — no code changes
AWS_ENDPOINT_URL: http://keyrack-aws-proxy:8080

What you get immediately, with zero risk:

  • Centralized, verifiable audit log of all KMS operations
  • Key usage and dependency mapping
  • A baseline before you change any crypto behavior

This is a pure pass-through: crypto still runs on AWS, so it’s a safe first step.

Step 2 — Migrate key custody between backends (FOSS)

Section titled “Step 2 — Migrate key custody between backends (FOSS)”

Move where a key’s material lives — e.g. software backend → customer HSM, or BYOK ↔ HYOK — without changing logical key identity. This is shipped in the open-source core:

  • Multiple named providers + tag-driven routing rules (demo 06)
  • Per-version provider binding
  • Cross-provider ReEncrypt (re-wrap without a big-bang data migration)

New keys can be created directly under KeyRack-managed backends while existing keys are gradually re-encrypted.

Step 3 — Full drop-in SDK compatibility (commercial)

Section titled “Step 3 — Full drop-in SDK compatibility (commercial)”

When you’re ready to move callers off AWS KMS entirely and keep all existing application code, the commercial AWS KMS shim routes the same AWS SDK calls to KeyRack-managed keys (and the Barbican shim does the same for OpenStack Cinder/Nova). Change one endpoint URL, no code changes.

See Commercial licensing for the shim env-var setup, supported operations, and the OpenStack/Barbican path.

What’s missing / roadmap

Section titled “What’s missing / roadmap”
ItemStatus
GCP KMS shimRoadmap — not implemented
Azure Key Vault shimRoadmap — not implemented
rotate_key with target providerNot yet shipped

See also: Demos · Commercial extensions