Regional, API-driven encryption and signing.
Last year we shared that we were building KMS and Secrets Manager for Thalassa Cloud. Today we are happy to be opening our Key Management Service (KMS) in Early Access.
A Key Management Service (KMS) is where you create, store, and control the cryptographic keys used across your environment. Applications and platform services call the KMS API to encrypt data, verify signatures, or generate keyed hashes — instead of embedding key material in configuration files or managing crypto libraries per service.
That matters because encryption and signing touch almost everything: database fields, object storage, TLS certificates, API tokens, DNSSEC zone signing, and secrets at rest. Without a managed KMS, teams either wire up keys themselves — often via self-hosted OpenBao or HashiCorp Vault transit — or depend on a hyperscaler key service outside the platform they run workloads on. For organisations that chose Thalassa for European data sovereignty, neither option fits well.
Thalassa KMS keeps key operations local, API-driven, and governed by the same IAM and audit logging as the rest of the cloud platform. Other Thalassa services consume KMS rather than implementing their own cryptography. This also gives teams control, as those Keys can be managed through the KMS API; teams can rotate, revoke or (when enabled) export keys according to their own compliance and technical requirements.
Thalassa KMS exposes three cryptographic operations through the API. You choose the key type and algorithm at creation; the table below lists what is supported today.
| Capability | Algorithms | Use |
|---|---|---|
| Symmetric encryption | AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305 | Encrypt/decrypt workflows |
| Asymmetric signing | ECDSA (P-256, P-384, P-521), Ed25519, RSA (2048/3072/4096) | Sign/verify |
| HMAC | SHA-256, SHA-512 | Keyed hashing |
Besides encryption and signing APIs, KMS includes controls for how keys are created, rotated, and retired. These lifecycle features are available from the console and API.
| Feature | Description |
|---|---|
| Automatic key rotation | Configurable rotation periods; older ciphertext remains decryptable after rotation |
| Bring Your Own Key (BYOK) | Import externally generated key material wrapped with the regional wrapping key |
| Optional key export | Exportable keys can be configured at creation for regulated or migration scenarios |
| Lifecycle controls | Disable, enable, schedule deletion with a 30-day recovery window, cancel deletion |
KMS is available now in Early Access on Thalassa Cloud. We are actively gathering feedback from early adopters and plan to promote the service to general availability later in 2026.
During Early Access you get full API and console access to create and use keys. As with other Early Access services, we recommend validating against your workloads before relying on KMS for production-critical paths - and we welcome your feedback as we harden the service toward GA.
Pricing will be used-based. During the early access period, usage for KMS APIs is provided at no-costs. Once we enter beta and/or GA, you will be charged based on your stored KMS Keys and API usage.
Learn more on the KMS product page or in the KMS documentation.
European Public Cloud
Deploy and manage your cloud-native applications with our European based public cloud. Access powerful APIs, Kubernetes orchestration, and DevOps tools designed for modern infrastructure.
EU Data Sovereignty
Terraform & REST API
Self-Service Kubernetes as a Service
NVMe Storage, CPU and network
Code. Ship. Scale. • Pay-as-you-go pricing
Thalassa Cloud
