Docs · Services

Key Management Service

Customer-managed encryption keys (CMKs) backed by envelope encryption. AES-256-GCM via Go stdlib; we never see plaintext.

Tutorial

Pick an alias — used to encrypt/decrypt from any CloudNx service or your own app.

cloudnx kms key create my-app-key --rotation-days 90

The data key is generated fresh per encrypt, wrapped under the CMK, and bundled into the payload.

echo -n 'my-secret' | cloudnx kms encrypt --key my-app-key > out.bin

Decryption requires kms:Decrypt on the CMK CRN — manage via IAM policies.

cloudnx kms decrypt < out.bin

₹100 per CMK / month · ₹0.30 per 10k API calls.

All operations have a cloudnx kms subcommand. Run cloudnx kms --help for the full surface.