ContextQMD
Back to Infisical

infisical kmip

docs/cli/commands/kmip.mdx

0.161.09.3 KB
Original Source
<Tabs> <Tab title="Start KMIP server"> ```bash infisical kmip start <server-name> \ --enroll-method=token \ --token=<enrollment-token> \ --domain=<your-infisical-domain> ``` </Tab> <Tab title="Start as background daemon (Linux only)"> ```bash sudo infisical kmip systemd install <server-name> \ --enroll-method=token \ --token=<enrollment-token> \ --domain=<your-infisical-domain> sudo systemctl start infisical-kmip ``` </Tab> </Tabs>

Description

The Infisical KMIP server provides Key Management Interoperability Protocol (KMIP) support for integration with KMIP-compatible clients. It acts as a proxy between your KMIP clients and Infisical KMS, enabling standardized key management operations.

The server is created in Infisical and then enrolled from the host where you run it, using either a one-time enrollment token or AWS authentication. The deploy command (including the enrollment token) can be copied from the server's detail page via Show deploy command.

The server's certificate configuration (hostnames/IPs, TTL, and key algorithm) is defined on the server entity in the UI. The CLI fetches it on start, so you do not pass it on the command line. To change the certificate, edit the configuration in the UI and restart the server.

For detailed information about KMIP integration, PKI setup, and client configuration, see the KMIP Integration Guide.

Subcommands & flags

<AccordionGroup> <Accordion title="infisical kmip start" defaultOpen="true"> Run the Infisical KMIP server in the foreground. The server enrolls with Infisical, listens for KMIP client connections, and proxies KMIP operations to Infisical KMS.
bash
infisical kmip start <server-name> \
  --enroll-method=token \
  --token=<enrollment-token> \
  --domain=<your-infisical-domain>

Once started, the KMIP server will:

  • Authenticate to Infisical using the enrollment method you provide
  • Listen for incoming KMIP client connections
  • Forward KMIP operations (Create, Get, Activate, Revoke, etc.) to Infisical KMS
  • Handle mTLS authentication for KMIP clients

Arguments

<server-name> (required): the name of the KMIP server, passed as the first positional argument. The name scopes where enrollment state is stored locally, so use the same value across restarts. You can alternatively supply it with the --server-name flag or the INFISICAL_KMIP_SERVER_NAME environment variable instead of positionally.

Flags

<AccordionGroup> <Accordion title="--enroll-method"> The enrollment method used to authenticate the KMIP server: `token` or `aws`. 
```bash
# Example
infisical kmip start <server-name> --enroll-method=token --token=<enrollment-token>
```

You may also set this via the environment variable `INFISICAL_KMIP_ENROLL_METHOD`.
</Accordion> <Accordion title="--token"> The one-time enrollment token (when `--enroll-method=token`). Generate it from the KMIP server's detail page via **Show deploy command**. Tokens are single-use and expire after 1 hour. 
On restart, the CLI reuses the long-lived access token it stored at enrollment, so the token is only needed for the initial deployment.

```bash
# Example
infisical kmip start <server-name> --enroll-method=token --token=<enrollment-token>
```
</Accordion> <Accordion title="--kmip-server-id"> The KMIP server ID (when `--enroll-method=aws`). The server signs an `sts:GetCallerIdentity` request on every start and authenticates against the allowlist configured on the server entity. 
```bash
# Example
infisical kmip start <server-name> --enroll-method=aws --kmip-server-id=<kmip-server-id>
```

You may also set this via the environment variable `INFISICAL_KMIP_SERVER_ID`.
</Accordion> <Accordion title="--server-name"> Alternative to passing the server name as the positional argument (`infisical kmip start <server-name>`), which is the recommended form. The name is required, so supply it either positionally, via this flag, or via the environment variable. It scopes where enrollment state is stored locally, so use the same value across restarts. 
```bash
# Example (equivalent to: infisical kmip start production-kmip --enroll-method=token --token=<enrollment-token>)
infisical kmip start --server-name="production-kmip" --enroll-method=token --token=<enrollment-token>
```

You may also set this via the environment variable `INFISICAL_KMIP_SERVER_NAME`.
</Accordion> <Accordion title="--domain"> Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud. 
```bash
# Example
infisical kmip start <server-name> --domain=https://app.your-domain.com --enroll-method=token --token=<enrollment-token>
```

You may also set this via the environment variable `INFISICAL_API_URL`.
</Accordion> <Accordion title="--listen-address"> The address for the KMIP server to listen on. Default: `localhost:5696`. To accept connections from other hosts, bind to all interfaces (`0.0.0.0:5696`) or a specific interface. 
```bash
# Example - listen on all interfaces
infisical kmip start <server-name> --listen-address="0.0.0.0:5696" --enroll-method=token --token=<enrollment-token>
```

You may also set this via the environment variable `INFISICAL_KMIP_LISTEN_ADDRESS`.
</Accordion> <Accordion title="--certificate-ttl (legacy machine-identity servers only)"> The TTL duration for the server certificate. Default: `1y`. 
This flag applies only to legacy machine-identity KMIP servers. For servers enrolled via token or AWS, the certificate TTL is configured on the server entity in the UI and read on start, so this flag is ignored.

```bash
# Example
infisical kmip start <server-name> --certificate-ttl="6m" --enroll-method=token --token=<enrollment-token>
```

You may also set this via the environment variable `INFISICAL_KMIP_CERTIFICATE_TTL`.
</Accordion> <Accordion title="--hostnames-or-ips (legacy machine-identity servers only)"> Comma-separated list of hostnames or IP addresses that KMIP clients will use to reach the server. These become the Subject Alternative Names (SANs) of the server's TLS certificate, so they must match how clients connect. 
This flag applies only to legacy machine-identity KMIP servers. For servers enrolled via token or AWS, the hostnames/IPs are configured on the server entity in the UI and read on start, so this flag is ignored.

```bash
# Example
infisical kmip start <server-name> --hostnames-or-ips="kmip.example.com,10.0.1.50" --enroll-method=token --token=<enrollment-token>
```

You may also set this via the environment variable `INFISICAL_KMIP_HOSTNAMES_OR_IPS`.
</Accordion> </AccordionGroup> </Accordion> <Accordion title="infisical kmip systemd install"> Install and enable the KMIP server as a systemd service. This command must be run with sudo on Linux.
bash
sudo infisical kmip systemd install <server-name> \
  --enroll-method=token \
  --token=<enrollment-token> \
  --domain=<your-infisical-domain>
sudo systemctl start infisical-kmip

For token enrollment, the single-use token is exchanged for a long-lived access token at install time and persisted to the service config; the service reuses it on every restart. For AWS enrollment, no token is stored and the server re-authenticates via STS on each start.

Requirements

  • Must be run on Linux
  • Must be run with root/sudo privileges
  • Requires systemd

What it does

  1. Creates a config file at /etc/infisical/kmip.conf with the provided enrollment settings
  2. Creates a systemd service file at /etc/systemd/system/infisical-kmip.service
  3. Reloads the systemd daemon
  4. Enables the service to start on boot

Arguments & Flags

Like infisical kmip start, this command takes the <server-name> as a required positional argument (or via --server-name / INFISICAL_KMIP_SERVER_NAME). It accepts the same flags as infisical kmip start (documented above): --enroll-method, --token, --kmip-server-id, --server-name, --domain, --listen-address, and (for legacy machine-identity servers only) --hostnames-or-ips and --certificate-ttl.

Service Details

The systemd service is installed with secure defaults:

  • Service file: /etc/systemd/system/infisical-kmip.service
  • Config file: /etc/infisical/kmip.conf
  • Automatically restarts on failure
  • Enabled to start on boot

After installation, manage the service with standard systemd commands:

bash
sudo systemctl start infisical-kmip    # Start the service
sudo systemctl stop infisical-kmip     # Stop the service
sudo systemctl status infisical-kmip   # Check service status
sudo systemctl disable infisical-kmip  # Disable auto-start on boot
sudo journalctl -u infisical-kmip      # View logs
</Accordion> <Accordion title="infisical kmip systemd uninstall"> Uninstall and remove the KMIP server systemd service. This command must be run with sudo on Linux.
bash
sudo infisical kmip systemd uninstall

Requirements

  • Must be run on Linux
  • Must be run with root/sudo privileges

What it does

  1. Stops the service if running
  2. Disables the service
  3. Removes the service file from /etc/systemd/system/infisical-kmip.service
  4. Removes the config file from /etc/infisical/kmip.conf
  5. Reloads the systemd daemon
</Accordion> </AccordionGroup>