Using external key management service (KMS) for signing / encrypting operations

[tsawada]

Hi,
We're interested in using Kratos, but would like to avoid having any secret because it is very hard to mange them securely.
https://www.ory.sh/docs/kratos/guides/secret-key-rotation

Instead we would like to offload all crypto operations to external services such as AWS KMS, Google Cloud KMS, or Azure Vault. I think Kratos does not support any of these at the moment but how hard is it going to be to modify Kratos to support them?

Thanks!

[vinckr]

Hello @tsawada

afaict you can use AWS KMS or other external secret managers to manage secrets from Ory Kratos, so you don't need to modify it.
See this documentation: https://www.ory.sh/docs/ecosystem/configuring#loading-configuration-from-environment-variables

In any case if you want to offload sensitive operations feel free to check out Ory Network - it is a secure service managed by the people who wrote Ory Kratos.