Thalassa Cloud Thalassa Cloud
Console Sign up for free

Key Management Service Early Access

API-driven encryption and signing. Encrypt data, sign payloads, and generate HMACs with fine-grained IAM, project scoping, and full audit logging.

Open the console Documentation

Available in Early Access — general availability later in 2026

Managed cryptography close to your workloads

Thalassa Cloud KMS gives you a managed way to create, rotate, and use cryptographic keys across your cloud regions. Keys run in regional OpenBao Transit clusters so crypto stays close to your workloads and within your chosen geography — with organisation, region, and project scoping aligned with the rest of the platform.

Create keys in the console

Generate platform keys or import your own (BYOK), choose from symmetric, signing, and HMAC algorithms, and configure automatic rotation — all from the Thalassa Cloud console.

Thalassa Cloud console — Create KMS key form with key type selection and rotation options

Symmetric encryption

Encrypt and decrypt application data with industry-standard algorithms through a simple API and console.

  • AES-128-GCM and AES-256-GCM
  • ChaCha20-Poly1305
  • Application-level encryption for databases, object storage, and custom services
  • Integration with Secrets Manager

Asymmetric signing & HMAC

Sign payloads, verify signatures, and generate keyed hashes for certificates, tokens, and DNSSEC.

  • ECDSA (P-256, P-384, P-521), Ed25519, RSA (2048/3072/4096)
  • HMAC with SHA-256 and SHA-512
  • DNSSEC zone signing via Thalassa DNS
  • Certificate and token signing pipelines

Key lifecycle

Rotate keys on a schedule, import external key material, and control deletion with a recovery window.

  • Configurable automatic rotation — older ciphertext remains decryptable
  • Bring Your Own Key (BYOK) via regional wrapping keys
  • Optional key export for regulated or migration scenarios
  • Disable, enable, schedule deletion (30-day recovery), cancel deletion

Access control & compliance

Separate roles for admin, operator, and auditor with per-action policies and platform-wide audit logging.

  • Encrypt, decrypt, sign, rotate, and export policies
  • Organisation, region, and project scoping
  • Version-aware billing and transparent key version metadata
  • Hosted in European datacenters with GDPR compliance

Documentation

Explore the KMS documentation for getting started, key types, encryption, rotation, BYOK, access control, and integrations with Secrets Manager and DNS DNSSEC.

Read the getting started guide →

European Public Cloud

DevOps-First Cloud

Deploy and manage your cloud-native applications with our European based public cloud. Access powerful APIs, Kubernetes orchestration, and DevOps tools designed for modern infrastructure.

GDPR Compliant

EU Data Sovereignty

API First

Terraform & REST API

Kubernetes

Self-Service Kubernetes as a Service

High Performance

NVMe Storage, CPU and network

Launch Your Cloud Journey

Code. Ship. Scale. • Pay-as-you-go pricing