STACKIT Key Management Service - HSM-backed KMS

What is STACKIT Key Management Service?

STACKIT Key Management Service (KMS) is a centralized service for secure creation, storage, and use of cryptographic keys. The service supports HSM-backed keys stored in FIPS 140-2 Level 3 certified Hardware Security Modules that never leave the HSM. As a German cloud provider, STACKIT guarantees that all keys remain exclusively in German data centers.

Core Features

• HSM Protection: FIPS 140-2 Level 3 certified Hardware Security Modules
• Envelope Encryption: Data Encryption Keys (DEK) encrypt data, Key Encryption Keys (KEK) protect DEKs
• Automatic Rotation: Configurable rotation schedules with version management
• Audit Logging: CloudTrail-like logs for all cryptographic operations
• Native Integration: Block Storage, Object Storage, and Compute Engine encryption

Typical Use Cases

Database Encryption: PostgreSQL, MySQL, and SQL Server use Transparent Data Encryption (TDE) with KMS-managed master keys. Automatic rotation meets compliance requirements.

Volume Encryption: Encrypt STACKIT Block Storage volumes with Customer Managed Keys. Revoke access in emergencies by deactivating the key.

Digital Signatures: RSA and ECC keys sign software artifacts and container images. Private keys never leave the HSM.

Benefits

• GDPR-compliant: All keys in German HSMs, no US-CLOUD Act risk
• FIPS 140-2 Level 3: Highest hardware security certification
• Compliance-ready: BSI C5, ISO 27001, PCI-DSS compliant key management
• Audit-capable: Complete logs for all encryption operations

Integration with innFactory

As an official STACKIT partner, innFactory supports you with KMS: envelope encryption architecture, BYOK setup, key rotation policies, and compliance documentation.