Local KMS - A mock version of AWS' Key Management Service

Local KMS is a mock of Amazon Web Services’ KMS API, designed for be used in local development and testing.

Whilst this service does use real encryption, it is designed for development and testing against KMS; not for use in a production environment.

Update: Local KMS is now included as part of localstack.

The need for a local version of KMS started as requirement for a project I was working on; it used AWS KMS to encrypt data, and we needed a way to develop and test against it locally. Localstack covered everything else the project needed, but lacked the KMS functionality. KMS also provided an additional difficultly compared to other mocked AWS services in that by its nature many of its features are not deterministic. Local KMS therefore was also built to seeding support - a feature that allows a set of pre-defined keys and aliases on startup, giving you a deterministic and versionable way to manage test keys.

Local KMS now supports:

  • Symmetric and ECC_NIST keys
  • Management of Customer Master Keys; including:
    • Enabling and disabling keys
    • Scheduling key deletion
    • Enabling/disabling automated key rotation
  • Management of key aliases
  • Encryption
    • Encryption Contexts
  • Decryption
  • Generating a data key, with or without plain text
  • Generating random data
  • Signing and verifying messages
    • RAW and DIGEST
  • Tags
  • Key Policies: Get & Put

Built in Go.