Cloud KMS Auto-Sync

2026-02-21 2026-02-21 v0.1.x-beta

1. What is it?

Cloud KMS Auto-Sync automatically re-exports key material to linked cloud KMS providers whenever a QuantumVault key is rotated. Instead of manually exporting the new key version to Azure Key Vault, AWS KMS, GCP Cloud KMS, or Scaleway KMS after each rotation, the platform handles it seamlessly in the background.

2. What is it for?

Multi-cloud key distribution

Keep encryption keys synchronized across Azure, AWS, GCP, and Scaleway from a single source of truth in QuantumVault.

Rotation compliance

Meet compliance requirements for regular key rotation without manual re-export steps — cloud copies are always up to date.

Disaster recovery

Ensure cloud KMS providers always have the latest key version, reducing recovery time when failover to a cloud provider is needed.

Gradual cloud migration

Keep cloud KMS copies in sync while migrating workloads. Decommission QuantumVault-managed keys only when fully transitioned.

3. Key concepts

Term	Definition
Auto-sync	When enabled on a cloud export, QuantumVault automatically re-exports the new key version to the linked cloud provider after every rotation.
Cloud export	A record linking a QuantumVault key to a specific cloud KMS provider and destination (e.g., an Azure Key Vault name, an AWS KMS key ARN).
Saved credentials	Cloud provider credentials (client secret, access key, etc.) stored encrypted in the Vault. Required for auto-sync — without saved credentials, only manual export is possible.
Manual sync	A one-off push of the current key material to a cloud provider, triggered via the 'Sync now' button or API call.
Sync error	If auto-sync fails (e.g., expired cloud credentials), the error is recorded in LastSyncError. Sync failures are non-fatal — key rotation still succeeds.
Provider metadata	Cloud-specific details stored with the export record: vault name, key ring, region, alias, etc.

4. How to set it up

Enable auto-sync on a cloud export

Export a key to a cloud provider

Go to a key's detail page, click Export → choose Azure Key Vault, AWS KMS, GCP Cloud KMS, or Scaleway KMS. Fill in the provider credentials and destination.

Save credentials to Vault

Check 'Save credentials to Vault' during export. This stores the cloud provider credentials encrypted in QuantumVault, enabling future automatic exports.

Enable auto-sync on rotation

Check 'Auto-sync on rotation' during the initial export, or toggle it later from the Cloud Exports card on the key detail page.

Rotate normally

When the key is rotated (manually or via a rotation policy), QuantumVault automatically re-exports the new version to all linked providers with auto-sync enabled.

Supported cloud providers

Azure Key Vault

Export RSA and EC keys to Azure Key Vault. Requires: Tenant ID, Client ID, Client Secret, Key Vault name. The service principal needs the 'Key Vault Crypto Officer' role.

Supported: RSA-2048, RSA-3072, RSA-4096, EC-P256, EC-P384, EC-P521

AWS KMS

Export RSA and EC keys to AWS KMS. Requires: Access Key ID, Secret Access Key, Region. The IAM user needs kms:ImportKeyMaterial and kms:CreateKey permissions.

Supported: RSA-2048, RSA-3072, RSA-4096, EC-P256, EC-P384

GCP Cloud KMS

Export RSA keys to GCP Cloud KMS. Requires: Service Account JSON, Project ID, Location, Key Ring. The service account needs roles/cloudkms.admin or roles/cloudkms.importer.

Supported: RSA-2048, RSA-3072, RSA-4096

Scaleway KMS

Export RSA and EC keys to Scaleway KMS. Requires: Access Key, Secret Key, Project ID, Region. European sovereignty option.

Supported: RSA-2048, RSA-3072, RSA-4096, EC-P256, EC-P384

Prerequisites & Permissions

Each cloud KMS provider requires specific IAM roles or permissions on the target resource. Without correct permissions, the export will fail with an authorization error. RBAC propagation can take 2-5 minutes after assignment.

Azure Key Vault

Role / Permission	Scope / Resource	Notes
Key Vault Crypto Officer	Target Key Vault resource	Full key management: import, create, rotate, delete. Recommended for auto-sync.
Key Vault Keys Reader + Key Vault Crypto User	Target Key Vault resource	Read + import only. Cannot delete or manage key versions.

Common error: ForbiddenByRbac — Action: 'Microsoft.KeyVault/vaults/keys/read', Assignment: (not found)

AWS KMS

Role / Permission	Scope / Resource	Notes
kms:CreateKey + kms:ImportKeyMaterial + kms:DescribeKey + kms:GetParametersForImport	Target AWS account / KMS key ARN	Full import workflow. Add kms:CreateAlias if using key aliases.
kms:ImportKeyMaterial + kms:DescribeKey + kms:GetParametersForImport	Specific KMS key ARN	Key must already exist. Cannot create new keys.

Common error: AccessDeniedException — User: arn:aws:iam::... is not authorized to perform: kms:ImportKeyMaterial

GCP Cloud KMS

Role / Permission	Scope / Resource	Notes
roles/cloudkms.admin	Target Key Ring or Project	Full KMS management: create keys, import versions, manage IAM.
roles/cloudkms.importer + roles/cloudkms.viewer	Target Key Ring	Import key versions only. Cannot create new keys or manage policies.

Common error: PERMISSION_DENIED — The caller does not have permission 'cloudkms.importJobs.create'

Scaleway KMS

Role / Permission	Scope / Resource	Notes
KeyManager (full access)	Target Scaleway Project	Full key management within the project. Recommended for auto-sync.
KeyManagerReadOnly + manual key import	Target Scaleway Project	Read-only access. Manual import via API required.

Common error: PermissionsDenied — insufficient permissions on resource 'kms'

Manual sync

You can trigger a one-off sync at any time using the 'Sync now' button on the Cloud Exports card, or via the API. This pushes the current key version to the cloud provider without needing to rotate first.

Manual sync via API

POST /api/v1/keys/{keyId}/cloud-exports/{exportId}/sync
Authorization: Bearer <token>

Error handling

Sync failures are non-fatal: if auto-sync fails during a key rotation, the rotation itself still completes successfully. The error is recorded in the export's LastSyncError field and displayed in the UI. Common causes include expired cloud credentials, network issues, or insufficient permissions on the cloud provider side. Fix the underlying issue and use 'Sync now' to retry.

5. Security considerations

Encrypted credential storage

Cloud provider credentials are stored encrypted in QuantumVault using the same envelope encryption (AES-256-GCM + QRNG nonces) as all other secrets.

Non-blocking failures

Sync failures never block key rotation. The rotation succeeds and the error is logged — you can retry manually at any time.

Full audit trail

Every sync operation (automatic and manual) is recorded in the audit log with timestamp, provider, result, and operator.

Scope-gated access

Managing cloud exports requires the keys:write API key scope. Listing exports requires keys:read.

6. Field reference

Field	Type	Description
id	uuid	Unique identifier of the cloud export record.
cryptoKeyId	uuid	The QuantumVault key this export is linked to.
provider	string	Cloud provider: AzureKeyVault, AwsKms, GcpKms, or ScalewayKms.
autoSyncEnabled	boolean	Whether auto-sync on rotation is enabled for this export.
vaultSecretId	uuid?	ID of the Vault secret storing the cloud credentials. Required to enable auto-sync.
lastSyncAt	datetime?	Timestamp of the last successful sync operation.
lastSyncError	string?	Error message from the last failed sync attempt, or null if the last sync succeeded.
exportedAt	datetime	Timestamp of the initial export.
exportedBy	string	User or API key that performed the initial export.

7. API / CLI reference

Method	Endpoint	Description
GET	/api/v1/keys/{keyId}/cloud-exports	List all cloud KMS exports for a key.
PATCH	/api/v1/keys/{keyId}/cloud-exports/{exportId}/auto-sync	Enable or disable auto-sync for an export. Body: { "enabled": true/false }.
POST	/api/v1/keys/{keyId}/cloud-exports/{exportId}/sync	Trigger an immediate sync of current key material to the cloud provider.
DELETE	/api/v1/keys/{keyId}/cloud-exports/{exportId}	Delete a cloud export record and its associated Vault secret.

Toggle auto-sync via API

PATCH /api/v1/keys/{keyId}/cloud-exports/{exportId}/auto-sync
Authorization: Bearer <token>
Content-Type: application/json

{ "enabled": true }

8. FAQ

What happens if auto-sync fails during rotation?

The key rotation completes successfully regardless. The error is recorded in the export's LastSyncError field. Fix the issue (e.g., renew cloud credentials) and click 'Sync now' to retry.

Which key algorithms can be exported to cloud KMS?

Only classical algorithms (RSA, ECDSA) are supported for cloud export. Post-quantum algorithms (ML-KEM, ML-DSA) cannot be exported because cloud KMS providers do not yet support them.

How are cloud credentials stored?

Credentials are encrypted using QuantumVault's standard envelope encryption (AES-256-GCM with QRNG nonces) and stored as Vault secrets. They are only decrypted at sync time.

Can I disable auto-sync without deleting the export?

Yes. Toggle auto-sync off via the Cloud Exports card on the key detail page, or use PATCH /api/v1/keys/{keyId}/cloud-exports/{exportId}/auto-sync with { "enabled": false }.

What is the difference between manual sync and auto-sync?

Manual sync is a one-off push triggered by the user. Auto-sync happens automatically after every key rotation. Both push the same key material to the same cloud destination.