Documentation Index
Fetch the complete documentation index at: https://koreai-v2-home-nav.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The Key Management Service (KMS) lets you control the encryption keys used to protect your workspace’s sensitive data. Instead of relying on platform-managed keys, you can provide your own key material from a supported cloud provider.
- Navigation: Settings > Team > Key Management
- Required role: Owner
- Plan requirement: KMS (Bring Your Own Key) is available on Enterprise plans.
The page is organized into the following tabs:
- Configuration - Configure tenant-level KMS providers, policies, and rotation settings.
- Scopes - Manage scoped KMS overrides for environments and projects.
- Encryption Keys - View and manage DEKs across scopes.
- Health - Monitor provider health and encryption status.
- Audit Log - Review KMS-related audit events and operations.
Configuration
The Configuration tab displays the active KMS setup and allows you to manage provider and encryption policies.
Current Configuration
The current configuration summary includes:
| Field | Description |
|---|
| Provider | Active KMS provider |
| Policy | Failure policy and compliance level |
| Retention | DEK retention or destruction policy |
| Rotation Guardrail | DEK and KEK rotation intervals |
Provider Configuration
Select the KMS provider and configure provider-specific settings.
Supported providers:
- Local (Built-in) - Platform-managed local KMS.
- AWS KMS - Symmetric CMK (AES-256).
- Azure Key Vault - RSA or AES keys.
- Google Cloud KMS - Symmetric AES-256 keys.
- External KMS - REST-compatible external KMS providers.
Policies
Configure how the platform behaves during provider failures or compliance enforcement changes.
Failure Policy
- Fail Closed - Encryption and decryption operations fail when the provider is unavailable.
- Fail Open - The platform continues operating without guardrail evaluation.
Compliance Level
Sets the compliance standard applied to KMS operations.
Rotation & Re-encryption
Configure DEK and KEK rotation behavior.
| Setting | Description |
|---|
| DEK Epoch Interval | Frequency of DEK generation |
| DEK Max Usage Count | Maximum DEK usage before rotation |
| Destroy retired DEKs | Enables automatic destruction after retention period |
| KEK Rotation Period | Frequency of KEK rotation |
| Enable automatic re-encryption | Automatically queues re-encryption jobs after rotation |
- Concurrency - Number of parallel re-encryption jobs.
- Batch Size - Records processed per batch.
- Max Retries - Retry attempts for failed jobs.
Click Save Configuration to apply changes.
Encryption Architecture
The platform uses an envelope encryption model.
- Key Encryption Key (KEK) - Master key stored in your cloud provider’s KMS.
- Data Encryption Keys (DEKs) - Short-lived keys used to encrypt data items and wrapped by the KEK.
DEKs are scoped to specific projects and environments with configurable rotation intervals.
Scopes
The Scopes tab allows you to configure scoped KMS overrides for tenant environments, projects, and project environments.
Inheritance Order
Scoped overrides follow this precedence order:
Platform default > Tenant default > Tenant environment > Project default > Project environment
The most specific override always takes precedence.
Effective Scope Preview
Use the preview section to inspect the resolved provider for a selected project or environment. It shows the inheritance chain across Platform Default, Tenant Default, Tenant Environment, Project Default, and Project Environment, each marked as Active or overridden.
Configuring a Scoped Override
Configure overrides using the following fields:
| Field | Description |
|---|
| Scope Type | Override level |
| Environment | Target environment |
| Provider | KMS provider |
| Key ID | Provider key identifier |
- Save Override - Apply the override.
- Reset Form - Clear unsaved changes.
- Clear Override - Remove an existing override.
Existing Overrides
The Existing Overrides section lists configured overrides by type:
- Tenant Environment Overrides
- Project Overrides
Current Selection
Displays whether the selected scope uses an explicit override or inherits configuration from a higher level.
Encryption Keys
The Encryption Keys tab displays active and retired DEKs across scopes.
Summary Metrics
| Field | Description |
|---|
| Total DEKs | Total number of DEKs |
| Active DEKs | DEKs currently in use |
| Decrypt-Only DEKs | Retired DEKs retained for decryption |
| Destroyed | Permanently destroyed keys |
| Expiring Soon | Active DEKs expiring within 72 hours |
| Last Checked | Timestamp of the latest DEK creation |
Filtering
Filter the DEK inventory using:
| Field | Description |
|---|
| Status | Active, Decrypt-Only, or Destroyed |
| Project | Specific project or all projects |
| Environment | Specific environment or all environments |
DEK Inventory
The inventory includes:
| Field | Description |
|---|
| Key ID | DEK identifier |
| Status | Current DEK status |
| Scope | Tenant, project, or environment scope |
| Wrapping Provider | KMS provider used for wrapping |
| Usage | Current usage count |
| Lifecycle | Expiry and destruction information |
| Created | Creation timestamp |
Key Rotation
Use Rotate Keys to manually trigger DEK rotation for the current scope. Click Refresh to reload the inventory.
Don’t destroy a key version in your cloud provider until all data has been re-encrypted with the new version. Destroying active key versions may result in permanent data loss.
Health
The Health tab displays operational status and encryption metrics for the configured KMS provider.
Click Refresh Health to reload the status.
Health Summary
| Field | Description |
|---|
| Status | Provider health and latency |
| Failure Policy | Configured failure policy |
| Crypto Verified | Encryption and decryption validation status |
Health Metrics
| Field | Description |
|---|
| Active DEKs | Number of active DEKs |
| Decrypt-Only DEKs | Number of retained retired DEKs |
| Failure Policy | Active failure policy |
| Provider Health | Provider health status |
- Fail Closed - Encryption and decryption operations stop until recovery.
- Fail Open - The platform continues operating with cached DEKs.
Audit Log
The Audit Log tab displays tenant-scoped KMS activity including configuration changes, rotations, validations, and failures.
Click Refresh to reload the audit log.
Summary Metrics
| Field | Description |
|---|
| Audit Events | Total audit events |
| Successful | Successful operations |
| Failed | Failed operations and actors |
| Unique Keys | Distinct keys referenced |
| Average Latency | Average KMS operation latency |
| Last Event | Most recent audit event timestamp |
Filtering
Filter audit events using:
| Field | Description |
|---|
| Operation | Specific operation type |
| Result | Successful or failed events |
| From / To | Date range |
Audit log retention follows the workspace data retention policy. Professional and Enterprise plans retain logs for at least 90 days.
