The CLI to interact with your OVHcloud KMS services.
NOTE: THIS PROJECT IS CURRENTLY UNDER DEVELOPMENT AND SUBJECT TO BREAKING CHANGES.
- Download latest release
- Optionaly check checksums against checksums.txt
- Untar / unzip the archive somewhere
- Add the containing folder to your
PATH
environment variable - Check the okms cli documentation
Alternatively, you can pull and run the following docker images
ghcr.io/ovh/okms-cli
- Go 1.23
- (Optional) In linux, install libpcsc-dev if building with yubikey support enabled
# Build the kms cli
$ CGO_ENABLED=0 go build -ldflags="-s -w" ./cmd/okms
# Optionally cross-compile to other targets
# Linux
$ CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" ./cmd/okms
# Windows
$ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" ./cmd/okms
# MacOS
$ CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" ./cmd/okms
Yubikey support is not built-in by default (for now) as it adds some dynamic dependencies. Both cli tools can be built with yubikey support enabled by running.
$ go build -ldflags="-s -w" -tags yubikey -o . ./cmd/...
Both Linux and MacOS must have a C compiler installed (either gcc
or clang
) and available in the path.
Compiling on/for Linux also requires to have libpcsclite-dev
and pkg-config
installed.
Running the cli with yubikey authentication on Linux will require the pcscd
dameon package to be installed and running.
In case troubleshooting is required, can enable logging of errors stacktrace by setting the following env variable:
export GO_BACKTRACE=1
Checkout the full documentation
Invoke the binary okms[.exe]
or run go run ./cmd/okms
$ ./okms --help
Usage:
okms [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
configure Configure CLI options
help Help about any command
keys Manage domain keys
version Print the version information
x509 Generate, and sign x509 certificates
Flags:
-c, --config string Path to a non default configuration file
-h, --help help for okms
--profile string Name of the profile (default "default")
Use "okms [command] --help" for more information about a command.
Default settings can be set using a configuration file named okms.yaml and located in the ${HOME}/.ovh-kms directory.
Example for omks.yaml
:
version: 1
profile: default # Name of the active profile
profiles:
default:
http:
endpoint: https://myserver.acme.com
ca: /path/to/public-ca.crt # Optional if the CA is in system store
auth:
type: mtls # Optional, defaults to "mtls"
cert: /path/to/domain/cert.pem
key: /path/to/domain/key.pem
These settings can be overwritten using environment variables:
- KMS_HTTP_ENDPOINT
- KMS_HTTP_CA
- KMS_HTTP_CERT
- KMS_HTTP_KEY
export KMS_HTTP_ENDPOINT=https://the-kms.ovh
export KMS_HTTP_CA=/path/to/certs/ca.crt
export KMS_HTTP_CERT=/path/to/certs/user.crt
export KMS_HTTP_KEY=/path/to/certs/user.key
but each of them can be overwritten with CLI arguments.