Skip to content

Releases: cozystack/keycloak-kms-proxy

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 08 Jul 16:32
c165cd8

What's Changed

New Contributors

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 09:49
027a116

What's Changed

New Contributors

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Choose a tag to compare

@github-actions github-actions released this 22 Jun 18:34

First public release of keycloak-kms-proxy — a transparent PostgreSQL wire-protocol proxy that sits between Keycloak and its CloudNativePG database and encrypts/decrypts PII columns on the fly. The data-encryption key is wrapped by a KMS and never lives inside PostgreSQL.

Highlights

  • Transparent column encryption for Keycloak PII: username/email (deterministic + lower-cased so login keeps working), first_name/last_name, pii-* user attributes, and credential secrets.
  • Self-describing $KKP$ ciphertext marker — safe to run against a partially-migrated database; markerless values are treated as not-yet-encrypted.
  • KMS-wrapped keys: static 32-byte KEK, or HashiCorp Vault Transit with transparent KEK rotation (no column re-encryption).
  • SCRAM on both legs + TLS termination; unrecognised traffic (DDL, Liquibase, COPY, …) is byte passthrough.
  • Offline backfill tool (cmd/backfill) to migrate an existing Keycloak.
  • Search: equality and wildcard-free LIKE on deterministic columns.
  • Prometheus metrics; unprivileged, PodSecurity-restricted container.

Container image

ghcr.io/cozystack/keycloak-kms-proxy:v0.1.0 (also :0.1, :latest) — linux/amd64.

Cozystack

Integrates into the Cozystack keycloak package as an optional, flag-gated encryption feature.

This is an early release; see the README for the threat model and docs/ for the operator guides.