1. Docs


See our buildlog for relationships between specific docker hashes and version tags. The most recent releases are at the bottom of the file. There will only ever be multiple hashes for a single version tag if the underlying image was rebuilt to fix a security vulnerability.


  • Added support for AWS_ENDPOINT_URL to allow development deployments to use LocalStack.
  • Added support for a new error code (KMS_ACCOUNT_ISSUE), which helps differentiate account issues from other issues when interacting with KMS. Check compatibility in your Tenant Security Client.


  • Pre-emptively fix a bug that could result in leased keys staying cached for longer than intended
  • Pre-emptively fix a bug that could result in leased keys being cached after key leasing was disabled
  • Add more clear WARN logging when an encrypted leased key edge case is encountered


  • Update dependencies


Note: This is the minimum version required to support Cloaked AI.

  • Add Vector secret type.
  • Add tsc_version_request_total metric, which counts the number of requests from each TSC language/version. Support for this metric will be added to TSCs over time.


  • Add deterministic encryption feature. See the documentation site and press releases for more detail on how this new feature can be used.
  • Added code to work around EDEKs encrypted with leased keys that don’t match the KMS config ID in their header.


Note: all v3 TSPs are currently EOL. This is a courtesy release for anyone that hasn’t upgraded to v4+ TSP and is affected by this bug.

  • Fixed a bug that inconsistently caused EDEKs to be encrypted with non-primary leased keys. This bug exists in TSPs until v4.3.0
  • Backport code to work around EDEKs encrypted with leased keys that don’t match the KMS config ID in their header.


  • Dependency updates.
  • Update base image to be built on scratch instead of alpine.


  • Add support for numeric tenant secret ids.
  • Dependency updates.


  • Update Alpine to 3.17.
  • Switch to the official AWS SDK for internal KMS calls.
  • Update dependencies and rust version.


  • Added support for Thales CipherTrust Manager (including Community Edition). Initial implementation and testing was done with both Community Edition and managed services (in cooperation with Complior).
  • Earlier TSP versions will report a non-terminal error about encountering a config of unknown type “THALES”. If you see that error, you need to upgrade to 4.7.0+ to support current tenant configurations.


  • Added search secret migration. If you’re using Cloaked Search integrated with TSP to manage tenant keys, upgrade to this version so that tenant search secrets can be automatically migrated when tenants switch to new primary KMS configurations.


  • Support additional key derivation type based on HMAC SHA-256.


  • Added new optional environment variable API_KEY_2. If present, this API key is an alternative that clients can use for authorization. Intended to be used when rotating API keys.


  • Added multi arch builds. amd64 and arm64 docker containers are both published to gcr.


  • Added error codes for KMS throttling.


  • Added support for KMS configs assigned to multiple organizations.


  • Added environment variables TSP_BIND_ADDRESS, TSP_HTTP_BIND_ADDRESS, TSP_HEALTH_BIND_ADDRESS, and TSP_EVENT_BIND_ADDRESS to allow customization of bind addresses for the TSP.
  • Dependency updates.


  • Fixed a bug that could cause leased keys to stay in memory longer than intended.


  • Initialize requests in flight metrics to 0 on startup.
  • Dependency updates.


  • Fixed a bug that could cause leased keys to stay in memory longer than intended.


  • Incremental configuration refreshes, which improves performance and memory use when the TSP has many tenants.
  • Removed deprecated metadata interface.
  • Separated tenant-security-logdriver from tenant-security-proxy, see documentation for configuration information.


  • tenant-security-logdriver must be version 4.0.0+
  • TSC-node must be version 2.0.0+
  • TSC-java must be version 3.0.0+


  • Improve performance of TSP startup when many leased keys need to be generated.
  • Reduce per-tenant memory footprint of TSP by sharing HTTP clients.
  • Remove tenant_id label from published metrics to reduce the number of metrics dimensions for cases with many tenants.
  • Dependency updates.


  • Improve performance of TSP startup.
  • Use RustTLS instead of OpenSSL TLS connections.


  • Logging service performance improvements.


  • Dependency updates. No code changes.


  • Fixed a bug leading to dropped security events in cases with high tenant activity for prolonged periods.


  • Added rekey endpoint and functionality.


  • Added backwards compatible wrap/unwrap/batch interfaces.


  • TSC-node must be version 1.0.0+
  • TSC-java must be version 2.0.0+

In the future we’ll always produce at least a minor migration version when making breaking changes to the TSP/TSC to prevent possible downtime.


  • Fixed a bug that prevented TSP from reporting ready if no logging configs were present.


  • Added prometheus metrics for TSP container.
  • Improved resiliency of reading stored logging events.
  • Added checks for misconfigured logdriver volume.


  • Added Security Event endpoint and functionality.
  • Fixed a bug that may prevent the TSP from starting when corrupt events are in its DB.
  • Improved TSP stdout log consistency.


  • TSC-node must be version 2.0.2+
  • TSC-java must be version 3.0.1+


  • Standardized JSON logging across the proxy and logdriver.
  • Added limiting functionality to the logdriver tenant buffers. If defaults don’t work for you contact IronCore for settings to tweak.
  • Improve healthchecks.


  • Adds logging of TSP activity to a tenant’s logging system (GCP Stackdriver and Splunk are currently supported). This feature must be configured on a per-tenant basis. If unsent log-events need to survive TSP restarts, a persistent volume needs to be added to the TSP container.


  • Enables key leasing feature within the TSP. Key leasing must be enabled on a per-KMS configuration basis for leased keys to be used. By default, upgrading to this version of the TSP will have no effect until a KMS configuration is updated to allow for key leasing.


  • Fixes unwrap of certain Azure keys which do not contain an embedded version header.


  • Fix bug that caused KMS config request interval to fail if the Config Broker couldn’t be reached. Now an error message will be logged but the TSP will retry the request to the Config Broker on the next planned interval.
  • Fixes behavior of TSP if the configuration/keys of a running container are revoked within the Config Broker. In this case the TSP will fully exit as it is no longer in an valid state.


  • Add batch unwrap and wrap endpoints to the service.
  • Logging improvements.
  • Rewrite of the TSP in Rust for performance, stability, and binary size improvements


Key leasing has been pushed to a later release once event logging is completed, 2.0.0 is production ready.


  • Add key leasing.


Don’t use in production until audit logging for leased keys is introduced, as tenant KMS logs won’t reflect how the keys are actually being used.


  • Add batch unwrap and wrap endpoints to the service.


  • Add retries on KMS configuration decrypts to cut down on intermittent issues impacting customers.


  • Add extra logging traces for configuration decrypt calls that fail.


  • Fixed issue with Azure versioned keys.
  • NOTICE on upgrading to this version, any Azure EDEKs should be batch decrypted and re-encrypted to avoid future issues with Azure key versioning.


  • Improved error handling for some classes of Azure KMS authentication errors.


  • Fixed a replay security vulnerability with API calls to the Config Broker.
  • Dropped base image from Alpine 3.10 to Alpine 3.9 now that it is vulnerability free and since 3.10 was sometimes causing segfault problems.


  • Added additional error codes which provide better granularity about why requests to the tenants KMS failed to succeed. These new error codes are covered in more detail within the Tenant Security Client changelog.
  • Added a single level of retry for when a KMS cannot be reached. If the network is down or some other networking problem occurs, the Proxy will automatically attempt a single retry of the request in case the network was only temporarily unreachable.
  • Dropped base image from Alpine 3.10 to Alpine 3.9 now that it is vulnerability free and since 3.10 was sometimes causing segfault problems.


  • Add caching of KMS SDK clients to prevent authorization rate limiting errors. Clients credentials will be refreshed every time configurations are pulled from the Config Broker.
  • Dropped base image from Alpine 3.10 to Alpine 3.9 now that it is vulnerability free and since 3.10 was sometimes causing segfault problems.

v1.2.0 (Unsupported)

  • Renamed container to tenant-security-proxy.


Support for this version was dropped due a vulnerability. See the 2019-10-30 entry in our security advisories list.


  • Changed permissions for and moved PM2 to run within app directory.


Initial release.

Versioning Policy

See our container versioning policy documentation.

Was this page helpful?