Fly KMS

mayailurus · September 19, 2024, 8:17pm

Thanks for the additional details… I originally jumped into this thread on impulse, and wouldn’t want to double-down on a misjudgment—particularly if it’s going to ruffle feathers.

My own opinion of this particular API remains unchanged, for whatever that’s worth, and I hope that there’s scope for eventually having an alternative that aligns better with intuitive, idiomatic usage, perhaps along the lines of the following:

fkms = Pathname.new('/.fly/kms/short-blobs/myxaeskey/encr')

plaintext = 'crimson 11 delight petrichore'

session = fkms / File.read(fkms / 'clone')

File.write(session / 'plaintext', plaintext)

ciphertext = File.read(session / 'ciphertext')

if ENV['AM_WORRYWART_MAYAILURUS']
  st = session / 'status'

  ('ok' == File.read(st / 'code')) || raise

  (ciphertext =~ /\Afkms:/) || raise
  (ciphertext =~ /;\n\z/) || raise

  ( plaintext.length == File.read(st /  'plaintext_length').to_i) || raise
  (ciphertext.length == File.read(st / 'ciphertext_length').to_i) || raise
end

File.unlink(session / 'ciphertext')

I really appreciate the work that you guys put into the security side in general—and hope that the overall spirit continues…

thomas · September 19, 2024, 8:55pm

That would make the API easier to drive purely from the shell, but to my eyes more complicated to drive from programs. That the API is currently drivable from the shell already makes it very weird! (But we love that it’s weird).

My general take on other APIs for this functionality are that we should keep the system API simple enough that it is extremely easy to build other APIs on top of it. For instance: that’s probably how I’d do a REST-y interface for this, so that you could use it from your dev machine.

(You’re never ruffling feathers).

playerx · December 29, 2024, 2:03pm

Hi, is Fly KMS already available to use? This post is the only info I found, we can’t find it in our dashboard. Maybe we need to send request to activate it.

We would love to migrate services from AWS to Fly.io, KMS is the only blocker for us.

Tim_Newsham · December 31, 2024, 8:31pm

It is not currently available. We’re working on making it available and may have an answer for you in the next few weeks.

pg938 · April 22, 2025, 12:14am

Hi, I was wondering if there’s been any updates on Fly KMS? Is it ready for use? Thanks!

inverted-capital · September 6, 2025, 2:49am

this is absolute brilliance - thank you for making such a general purpose useful thing.

managing our own keys and encryption performance, choice of algorithms, re-encryption - such a massive pain to do manually and to have to worry about secrets leaking.

rugwiro · September 8, 2025, 11:22pm

Looks like I finally have a use case for this after almost a year. Is there a plan to make it generally available, or should I start learning Chinese?

Tim_Newsham · September 9, 2025, 9:43pm

We havent made the experimental kmsfs feature widely available yet. But in the meantime we’ve reorganized the way it is accessed internally, and the features are now accessible via the machines API. Its a slightly lower level interface (kmsfs manages secret versions and key types for users, while the machines API does not), but it is documented as part of the machines API and available today. You can find the docs here: Fly Machines API

# using a token from $HOME
% curl -H "Authorization: Bearer $TOKEN" https://api.machines.dev/v1/apps/$FLY_APP_NAME/secretkeys/MYENCRKEY/generate -d '{"type": "xaes256gcm"}' 
{"name":"MYENCRKEY","type":"xaes256gcm","Version":28485278}

# using implicit token from $MACHINE
root@3d8dde75a269e8:/# echo "hello world" |base64
aGVsbG8gd29ybGQK
root@3d8dde75a269e8:/# curl --unix-socket /.fly/api http://localhost/v1/apps/$FLY_APP_NAME/secretkeys/MYENCRKEY/encrypt -d '{"plaintext": "aGVsbG8gd29ybGQK"}'
{"ciphertext":"4p2cwxeMQAQPgtumAiMgkXaGCs3G6Yc1OEsjhXjntxNnBHuTE79Iv3xNzPlrPifcaNcIPg=="}
root@3d8dde75a269e8:/# curl --unix-socket /.fly/api http://localhost/v1/apps/$FLY_APP_NAME/secretkeys/MYENCRKEY/decrypt -d '{"ciphertext":"4p2cwxeMQAQPgtumAiMgkXaGCs3G6Yc1OEsjhXjntxNnBHuTE79Iv3xNzPlrPifcaNcIPg=="}'
{"plaintext":"aGVsbG8gd29ybGQK"}
root@3d8dde75a269e8:/# echo aGVsbG8gd29ybGQK | base64 -d
hello world

The documentation is light, but the error messages can guide you in the right direction:

% curl -H "Authorization: Bearer $TOKEN" https://api.machines.dev/v1/apps/$FLY_APP_NAME/secretkeys/MYENCRKEY/generate -d '{"type": "i have no idea"}'
{"error":"invalid secret type \"i have no idea\". must be one of hs256, hs384, hs512, xaes256gcm, nacl_auth, nacl_box, nacl_secretbox, nacl_sign"}

The plaintext and ciphertext must be in base64.

The implicit token on machines are not powerful enough to manage secrets, but you can perform these operations from your machines if you provide a token with permission to do so.

The secret key operations only work from a machine in your app, and wont work from $HOME:

% curl -H "Authorization: Bearer $TOKEN" https://api.machines.dev/v1/apps/$FLY_APP_NAME/secretkeys/MYENCRKEY/decrypt -d '{"ciphertext":"4p2cwxeMQAQPgtumAiMgkXaGCs3G6Yc1OEsjhXjntxNnBHuTE79Iv3xNzPlrPifcaNcIPg=="}'
{"error":"forbidden"}

Tim

Recall45 · October 19, 2025, 10:29pm

Im excited for this

nothing fancy but right now it’s not possible to set secrets via api (only “stage them” but they wont show up on your app until you manually fly deploy )

Hopefully, this tackles the use case