> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# infisical kmip

> Run the Infisical KMIP server or manage its systemd service

<Tabs>
  <Tab title="Start KMIP server">
    ```bash theme={"dark"}
    infisical kmip start <server-name> \
      --enroll-method=token \
      --token=<enrollment-token> \
      --domain=<your-infisical-domain>
    ```
  </Tab>

  <Tab title="Start as background daemon (Linux only)">
    ```bash theme={"dark"}
    sudo infisical kmip systemd install <server-name> \
      --enroll-method=token \
      --token=<enrollment-token> \
      --domain=<your-infisical-domain>
    sudo systemctl start infisical-kmip
    ```
  </Tab>
</Tabs>

## Description

The Infisical KMIP server provides Key Management Interoperability Protocol (KMIP) support for integration with KMIP-compatible clients. It acts as a proxy between your KMIP clients and Infisical KMS, enabling standardized key management operations.

The server is created in Infisical and then enrolled from the host where you run it, using either a one-time enrollment **token** or **AWS** authentication. The deploy command (including the enrollment token) can be copied from the server's detail page via **Show deploy command**.

The server's certificate configuration (hostnames/IPs, TTL, and key algorithm) is defined on the server entity in the UI. The CLI fetches it on start, so you do not pass it on the command line. To change the certificate, edit the configuration in the UI and restart the server.

For detailed information about KMIP integration, PKI setup, and client configuration, see the [KMIP Integration Guide](/documentation/platform/kms/kmip).

## Subcommands & flags

<AccordionGroup>
  <Accordion title="infisical kmip start" defaultOpen="true">
    Run the Infisical KMIP server in the foreground. The server enrolls with Infisical, listens for KMIP client connections, and proxies KMIP operations to Infisical KMS.

    ```bash theme={"dark"}
    infisical kmip start <server-name> \
      --enroll-method=token \
      --token=<enrollment-token> \
      --domain=<your-infisical-domain>
    ```

    Once started, the KMIP server will:

    * Authenticate to Infisical using the enrollment method you provide
    * Listen for incoming KMIP client connections
    * Forward KMIP operations (Create, Get, Activate, Revoke, etc.) to Infisical KMS
    * Handle mTLS authentication for KMIP clients

    ### Arguments

    `<server-name>` (required): the name of the KMIP server, passed as the first positional argument. The name scopes where enrollment state is stored locally, so use the same value across restarts. You can alternatively supply it with the `--server-name` flag or the `INFISICAL_KMIP_SERVER_NAME` environment variable instead of positionally.

    ### Flags

    <AccordionGroup>
      <Accordion title="--enroll-method">
        The enrollment method used to authenticate the KMIP server: `token` or `aws`.

        ```bash theme={"dark"}
        # Example
        infisical kmip start <server-name> --enroll-method=token --token=<enrollment-token>
        ```

        You may also set this via the environment variable `INFISICAL_KMIP_ENROLL_METHOD`.
      </Accordion>

      <Accordion title="--token">
        The one-time enrollment token (when `--enroll-method=token`). Generate it from the KMIP server's detail page via **Show deploy command**. Tokens are single-use and expire after 1 hour.

        On restart, the CLI reuses the long-lived access token it stored at enrollment, so the token is only needed for the initial deployment.

        ```bash theme={"dark"}
        # Example
        infisical kmip start <server-name> --enroll-method=token --token=<enrollment-token>
        ```
      </Accordion>

      <Accordion title="--kmip-server-id">
        The KMIP server ID (when `--enroll-method=aws`). The server signs an `sts:GetCallerIdentity` request on every start and authenticates against the allowlist configured on the server entity.

        ```bash theme={"dark"}
        # Example
        infisical kmip start <server-name> --enroll-method=aws --kmip-server-id=<kmip-server-id>
        ```

        You may also set this via the environment variable `INFISICAL_KMIP_SERVER_ID`.
      </Accordion>

      <Accordion title="--server-name">
        Alternative to passing the server name as the positional argument (`infisical kmip start <server-name>`), which is the recommended form. The name is required, so supply it either positionally, via this flag, or via the environment variable. It scopes where enrollment state is stored locally, so use the same value across restarts.

        ```bash theme={"dark"}
        # Example (equivalent to: infisical kmip start production-kmip --enroll-method=token --token=<enrollment-token>)
        infisical kmip start --server-name="production-kmip" --enroll-method=token --token=<enrollment-token>
        ```

        You may also set this via the environment variable `INFISICAL_KMIP_SERVER_NAME`.
      </Accordion>

      <Accordion title="--domain">
        Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

        ```bash theme={"dark"}
        # Example
        infisical kmip start <server-name> --domain=https://app.your-domain.com --enroll-method=token --token=<enrollment-token>
        ```

        You may also set this via the environment variable `INFISICAL_API_URL`.
      </Accordion>

      <Accordion title="--listen-address">
        The address for the KMIP server to listen on. Default: `localhost:5696`. To accept connections from other hosts, bind to all interfaces (`0.0.0.0:5696`) or a specific interface.

        ```bash theme={"dark"}
        # Example - listen on all interfaces
        infisical kmip start <server-name> --listen-address="0.0.0.0:5696" --enroll-method=token --token=<enrollment-token>
        ```

        You may also set this via the environment variable `INFISICAL_KMIP_LISTEN_ADDRESS`.
      </Accordion>

      <Accordion title="--certificate-ttl (legacy machine-identity servers only)">
        The TTL duration for the server certificate. Default: `1y`.

        This flag applies only to legacy machine-identity KMIP servers. For servers enrolled via token or AWS, the certificate TTL is configured on the server entity in the UI and read on start, so this flag is ignored.

        ```bash theme={"dark"}
        # Example
        infisical kmip start <server-name> --certificate-ttl="6m" --enroll-method=token --token=<enrollment-token>
        ```

        You may also set this via the environment variable `INFISICAL_KMIP_CERTIFICATE_TTL`.
      </Accordion>

      <Accordion title="--hostnames-or-ips (legacy machine-identity servers only)">
        Comma-separated list of hostnames or IP addresses that KMIP clients will use to reach the server. These become the Subject Alternative Names (SANs) of the server's TLS certificate, so they must match how clients connect.

        This flag applies only to legacy machine-identity KMIP servers. For servers enrolled via token or AWS, the hostnames/IPs are configured on the server entity in the UI and read on start, so this flag is ignored.

        ```bash theme={"dark"}
        # Example
        infisical kmip start <server-name> --hostnames-or-ips="kmip.example.com,10.0.1.50" --enroll-method=token --token=<enrollment-token>
        ```

        You may also set this via the environment variable `INFISICAL_KMIP_HOSTNAMES_OR_IPS`.
      </Accordion>
    </AccordionGroup>
  </Accordion>

  <Accordion title="infisical kmip systemd install">
    Install and enable the KMIP server as a systemd service. This command must be run with sudo on Linux.

    ```bash theme={"dark"}
    sudo infisical kmip systemd install <server-name> \
      --enroll-method=token \
      --token=<enrollment-token> \
      --domain=<your-infisical-domain>
    sudo systemctl start infisical-kmip
    ```

    For token enrollment, the single-use token is exchanged for a long-lived access token at install time and persisted to the service config; the service reuses it on every restart. For AWS enrollment, no token is stored and the server re-authenticates via STS on each start.

    ### Requirements

    * Must be run on Linux
    * Must be run with root/sudo privileges
    * Requires systemd

    ### What it does

    1. Creates a config file at `/etc/infisical/kmip.conf` with the provided enrollment settings
    2. Creates a systemd service file at `/etc/systemd/system/infisical-kmip.service`
    3. Reloads the systemd daemon
    4. Enables the service to start on boot

    ### Arguments & Flags

    Like `infisical kmip start`, this command takes the `<server-name>` as a required positional argument (or via `--server-name` / `INFISICAL_KMIP_SERVER_NAME`). It accepts the same flags as `infisical kmip start` (documented above): `--enroll-method`, `--token`, `--kmip-server-id`, `--server-name`, `--domain`, `--listen-address`, and (for legacy machine-identity servers only) `--hostnames-or-ips` and `--certificate-ttl`.

    ### Service Details

    The systemd service is installed with secure defaults:

    * Service file: `/etc/systemd/system/infisical-kmip.service`
    * Config file: `/etc/infisical/kmip.conf`
    * Automatically restarts on failure
    * Enabled to start on boot

    After installation, manage the service with standard systemd commands:

    ```bash theme={"dark"}
    sudo systemctl start infisical-kmip    # Start the service
    sudo systemctl stop infisical-kmip     # Stop the service
    sudo systemctl status infisical-kmip   # Check service status
    sudo systemctl disable infisical-kmip  # Disable auto-start on boot
    sudo journalctl -u infisical-kmip      # View logs
    ```
  </Accordion>

  <Accordion title="infisical kmip systemd uninstall">
    Uninstall and remove the KMIP server systemd service. This command must be run with sudo on Linux.

    ```bash theme={"dark"}
    sudo infisical kmip systemd uninstall
    ```

    ### Requirements

    * Must be run on Linux
    * Must be run with root/sudo privileges

    ### What it does

    1. Stops the service if running
    2. Disables the service
    3. Removes the service file from `/etc/systemd/system/infisical-kmip.service`
    4. Removes the config file from `/etc/infisical/kmip.conf`
    5. Reloads the systemd daemon
  </Accordion>
</AccordionGroup>
