Releases: cozystack/keycloak-kms-proxy
Releases · cozystack/keycloak-kms-proxy
Release list
v0.2.1
What's Changed
- fix(wire): decrypt reads on pgjdbc describe-statement and prepared-reuse flows by Andrei Kvapil (@kvaps) in #2
New Contributors
- Andrei Kvapil (@kvaps) made their first contribution in #2
Full Changelog: v0.2.0...v0.2.1
v0.2.0
What's Changed
- feat(kms): add Vault Kubernetes and AppRole authentication by Kirill Ilin (@sircthulhu) in #1
New Contributors
- Kirill Ilin (@sircthulhu) made their first contribution in #1
Full Changelog: v0.1.0...v0.2.0
v0.1.0
First public release of keycloak-kms-proxy — a transparent PostgreSQL wire-protocol proxy that sits between Keycloak and its CloudNativePG database and encrypts/decrypts PII columns on the fly. The data-encryption key is wrapped by a KMS and never lives inside PostgreSQL.
Highlights
- Transparent column encryption for Keycloak PII:
username/email(deterministic + lower-cased so login keeps working),first_name/last_name,pii-*user attributes, and credential secrets. - Self-describing
$KKP$ciphertext marker — safe to run against a partially-migrated database; markerless values are treated as not-yet-encrypted. - KMS-wrapped keys: static 32-byte KEK, or HashiCorp Vault Transit with transparent KEK rotation (no column re-encryption).
- SCRAM on both legs + TLS termination; unrecognised traffic (DDL, Liquibase,
COPY, …) is byte passthrough. - Offline backfill tool (
cmd/backfill) to migrate an existing Keycloak. - Search: equality and wildcard-free
LIKEon deterministic columns. - Prometheus metrics; unprivileged, PodSecurity-restricted container.
Container image
ghcr.io/cozystack/keycloak-kms-proxy:v0.1.0 (also :0.1, :latest) — linux/amd64.
Cozystack
Integrates into the Cozystack keycloak package as an optional, flag-gated encryption feature.
This is an early release; see the README for the threat model and docs/ for the operator guides.