Off-host key custody
Your data on their host, your keys on your device. Compromise the host and you still get nothing but ciphertext.
The idea
Run KerPlace on hosting you do not fully trust — a rented server, a cloud instance, a colocation box — while the key that unlocks the data lives on a device you control, reached by the host over an encrypted tunnel. The host stores only ciphertext and a wrapped data key; the only place that wrapped key can be turned back into a usable key is your device.
What it stops
- A stolen disk or a leaked backup of the host — useless without your key.
- A host compromise while your device is offline — there is no key on the host to steal, and no live channel to the key service.
- Revocation — withdraw the token or rotate the key on your device and the host’s ability to decrypt ends immediately, even mid-run.
How it works
The host runs KerPlace pointed at an external key-management service (KMS) on your device. On every read, KerPlace asks the KMS to unwrap the data key over the tunnel — a network round-trip to your device; the host never holds the unwrapping key. KerPlace is fail-closed: if the KMS is unreachable, it refuses to serve rather than expose data.
Revocation
From your device, cutting access is instant: revoke the scoped token, rotate the key, or simply drop the tunnel. The buckets go dark until you re-enable access.
The device that holds the key is the root of trust. Keep it persistent, back up the key material separately, and never lose it.
Full detail, source & scripts in the repository → https://github.com/agalletero/kerplace/blob/main/docs/OFFHOST_KMS_CUSTODY.md