Skip to main content
What's Real, What's Simulated
Real in this demo
- RFC 3394 AES Key Wrap with byte-exact RFC test vectors.
- RFC 5649 padded key wrap with byte-exact RFC test vectors.
- AES-256-GCM sealing via WebCrypto.
- SHA-256 hash-chained audit log.
- In-memory DEK zeroization before discard.
Simulated for browser context
- The KMS is an in-memory module, not an HSM-backed service.
- Audit entries persist to localStorage rather than a write-once store.
- Multi-region is represented in one browser runtime.
- KEK access control is module-boundary scope, not IAM policy.
Not included (out of scope)
- Quorum-based key ceremonies.
- FIPS 140-3 certification workflows.
- KMIP wire protocol.
- PKCS#11 HSM bindings.