Skip to main content
Admin › Monitoring › KMS Audit
KMS Audit is a record of every operation the system performs with encryption keys. The key point is that these records cannot be altered or deleted after the fact. Each entry is chained to the one before it, so tampering with even a single past entry breaks the chain and is exposed by a single integrity check — it is a ledger that can’t be forged once written. Where the Audit Log tracks “who changed which resource”, KMS Audit tracks “what operations happened on encryption keys”.
KMS Audit log screen — operation/result filters, integrity check button, log table
KMS Audit pairs with the KMS provider in Admin › Settings › Encryption. Rows accumulate only when encryption operations actually occur, so the table may be empty (Total: 0) in environments with no KMS operation history.

Recorded Operations

Every key operation performed by the KMS provider is recorded automatically.
OperationWhat it does
wrapEncrypts and locks a secret value
unwrapUnlocks and reads (decrypts) a locked value
rotateReplaces the encryption key with a new one
health_checkChecks whether the KMS is operating normally
provider_changeSwitches the encryption method (KMS provider) (e.g., local ↔ external)
migrateRe-locks values locked with an older method using the current method (Migrating existing data)
audit_exportExports the KMS audit log to CSV — the export action itself is also recorded
The target secrets are the system’s sensitive configuration values — Config secrets, database connections, tool connection keys, license tokens, and so on. The encrypted values themselves are never recorded; only “which operation happened on which configuration path’s value” is kept.

Log Entry Structure

Each KMS audit row includes the following:
FieldDescription
idSequential record identifier
Timestamp (UTC)When the operation occurred (in UTC)
OperationThe KMS operation performed (wrap, unwrap, rotate, etc.)
ResultSuccess / Failure
ActorThe entity that performed the operation (user or system)
Config pathPath of the configuration value the operation targeted
IPSource IP of the request
ErrorError message on failure (empty on success)
Timestamps are shown in UTC. Adjust to your local timezone as needed (e.g., KST = UTC+9).

Integrity Check

Clicking the Integrity Check button re-verifies the entire chain from the first entry to the last to confirm no link is broken.
1

Run the check

Click the Integrity Check button at the top of the screen.
2

Review the result

If the chain is intact, a success message appears with the number of rows checked, like Chain OK (N rows checked). If someone altered or deleted an entry in the middle, the chain breaks at that point and verification fails.
A failed integrity check means the audit records may have been tampered with. This is the first thing to verify during compliance or security incident investigations.

Viewing Logs

Filter Options

FilterDescription
Time rangeShared time bar at the top — 1h / 6h / 1d / 7d / 30d / All / Custom
OperationFilter to a specific KMS operation (wrap, unwrap, rotate, health_check, provider_change, migrate, audit_export)
ResultAll results / Success only / Failure only
When there are many rows, use the Previous / Next buttons at the bottom to page through. The bottom of the screen shows Total: N · Page X with the total count and current page.

CSV Export

You can export audit records for external retention or analysis. Unlike a normal download, you must enter an export reason.
1

Enter a reason

Type a reason in the Export reason (recorded in the audit chain) field at the bottom. (e.g., Quarterly compliance review)
2

Export CSV

Click the CSV Export button to download the records matching the current filter as CSV.
The export action itself is added to the chain as a new entry with the audit_export operation. That means “who exported the audit log, when, and for what reason” is also recorded, so tamper-resistance is preserved even at the export step.

Difference from the Audit Log

KMS Audit is a separate tab from the Audit Log. They differ in what they track and how they guarantee it.
AspectAudit LogKMS Audit
TracksUser/resource activity (CRUD, login, permission changes)Encryption key operations (wrap/unwrap/rotate, etc.)
Primary usersSecurity officers, complianceSecurity officers, infrastructure admins
Integrity guaranteeRecords can’t be deleted or modifiedRecords are chained together to prevent forgery + Integrity Check button
ExportFilter-based viewingCSV after entering a reason (export is also recorded in the chain)

Use Cases

  1. Select rotate in the Operation filter
  2. Set a time range to confirm key rotation ran on the policy cycle
  3. Narrow the Result filter to Failure only to check for any failed rotations
  1. Set the Result filter to Failure only
  2. Use the Config path and Error columns to identify which secret had the problem
  3. Verify KMS status with the provider connection test in Encryption settings
  1. Run Integrity Check first to confirm the chain is intact
  2. Filter to the reporting period
  3. State your review purpose in the export reason and export to CSV
  4. Confirm the export entry (audit_export) was added to the chain to evidence the extraction history

Best Practices

KMS audit records are written automatically by the system; there is no feature to delete or modify rows. This is to chain records together and prevent forgery.
  • Regular integrity checks: During compliance reviews, run Integrity Check first to confirm the chain is intact
  • Failure monitoring: Periodically check for encryption operation errors with the Failure only filter — an early signal of KMS connection problems
  • Clear reasons: Write specific CSV export reasons, since they are used for later audit trails
  • Provider transition review: Use provider_change and migrate records to confirm encryption provider switches and re-encryption completed as intended