From 7fef98d1395bccc21df90e524b1ea357ce25a277 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Fri, 5 Feb 2021 10:47:41 +0000
Subject: [PATCH] Add KMS support to crypto pseudo-Node (#1846)

Just tink-awskms support for the moment.
---
 .github/workflows/ci.yaml               |   1 +
 Dockerfile                              |  19 +
 examples/deny.toml                      |   4 +
 experimental/deny.toml                  |   2 +
 oak_loader/Cargo.lock                   | 713 +++++++++++++++++++--
 oak_loader/Cargo.toml                   |   5 +-
 oak_loader/deny.toml                    |   2 +
 oak_loader/src/options.rs               |   3 +
 oak_runtime/Cargo.lock                  | 798 +++++++++++++++++++++---
 oak_runtime/Cargo.toml                  |   6 +
 oak_runtime/deny.toml                   |   2 +
 oak_runtime/src/config.rs               |   1 +
 oak_runtime/src/lib.rs                  |   2 +
 oak_runtime/src/node/crypto/mod.rs      |  42 +-
 oak_runtime/src/node/crypto/tinkwrap.rs | 127 +++-
 oak_runtime/src/node/http/tests.rs      |   1 +
 oak_runtime/src/node/mod.rs             |   7 +-
 oak_runtime/src/node/wasm/tests.rs      |   1 +
 oak_runtime/src/proxy.rs                |   2 +
 oak_runtime/src/tests.rs                |   1 +
 oak_runtime/tests/integration_test.rs   |   1 +
 oak_services/proto/crypto.proto         |   2 +-
 runner/src/internal.rs                  |  43 +-
 runner/src/main.rs                      |  11 +-
 sdk/deny.toml                           |   4 +
 sdk/rust/oak_tests/src/lib.rs           |   1 +
 26 files changed, 1624 insertions(+), 177 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 33cd5f802fc..d1156afb476 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -20,6 +20,7 @@ jobs:
           - run-cargo-udeps
           - build-server --server-variant=base
           - build-server --server-variant=logless
+          - build-server --server-variant=kms
           - run-tests
           - run-tests-tsan
           - run-examples --application-variant=rust
diff --git a/Dockerfile b/Dockerfile
index 151b5b29d4b..73aa88f0db6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -262,6 +262,25 @@ RUN chmod +x ${install_dir}/rust-analyzer
 # its own home folder.
 ENV CARGO_HOME ""
 
+# Build a statically-linked version of OpenSSL with musl
+ENV OPENSSL_DIR /musl
+RUN mkdir ${OPENSSL_DIR}
+
+RUN ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/x86_64-linux-musl/asm
+RUN ln -s /usr/include/asm-generic /usr/include/x86_64-linux-musl/asm-generic
+RUN ln -s /usr/include/linux /usr/include/x86_64-linux-musl/linux
+
+ARG openssl_dir=/usr/local/openssl
+RUN mkdir --parents ${openssl_dir}
+RUN curl --location https://github.com/openssl/openssl/archive/OpenSSL_1_1_1f.tar.gz | tar --extract --gzip --directory=${openssl_dir}/
+WORKDIR ${openssl_dir}/openssl-OpenSSL_1_1_1f
+RUN CC="musl-gcc -fPIE -pie" ./Configure no-shared no-async --prefix=/musl --openssldir="${OPENSSL_DIR}/ssl" linux-x86_64
+RUN make depend && make -j"$(nproc)"&& make install_sw install_ssldirs
+
+# Allow the build to find statically built OpenSSL.
+ENV PKG_CONFIG_ALLOW_CROSS 1
+ENV OPENSSL_STATIC 1
+
 # Placeholder args that are expected to be passed in at image build time.
 # See https://code.visualstudio.com/docs/remote/containers-advanced#_creating-a-nonroot-user
 ARG USERNAME=user-name-goes-here
diff --git a/examples/deny.toml b/examples/deny.toml
index 71f43037e18..03213ad6ad5 100644
--- a/examples/deny.toml
+++ b/examples/deny.toml
@@ -16,6 +16,10 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
+  # TODO: Remove when rusoto-* no longer depends on stdweb (via time).
+  "RUSTSEC-2020-0056"
 ]
 
 # Deny multiple versions unless explicitly skipped.
diff --git a/experimental/deny.toml b/experimental/deny.toml
index 36ebdf7a123..b0c306bf474 100644
--- a/experimental/deny.toml
+++ b/experimental/deny.toml
@@ -13,6 +13,8 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
 ]
 
 # Deny multiple versions unless explicitly skipped.
diff --git a/oak_loader/Cargo.lock b/oak_loader/Cargo.lock
index f35e224e02b..8d15b8e9e67 100644
--- a/oak_loader/Cargo.lock
+++ b/oak_loader/Cargo.lock
@@ -71,7 +71,7 @@ dependencies = [
  "aes",
  "cipher",
  "cmac",
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "ctr",
  "dbl",
  "pmac",
@@ -122,6 +122,18 @@ version = "1.0.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bf8dcb5b4bbaa28653b647d8c77bd4ed40183b48882e130c1f1ffb73de069fd7"
 
+[[package]]
+name = "arrayref"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544"
+
+[[package]]
+name = "arrayvec"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23b62fc65de8e4e7f52534fb52b0f3ed04746ae267519eef2a83941e8085068b"
+
 [[package]]
 name = "assert_matches"
 version = "1.4.0"
@@ -177,6 +189,12 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
+[[package]]
+name = "base-x"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4521f3e3d031370679b3b140beb36dfe4801b09ac77e30c61941f97df3ef28b"
+
 [[package]]
 name = "base64"
 version = "0.12.3"
@@ -206,6 +224,17 @@ dependencies = [
  "wyz",
 ]
 
+[[package]]
+name = "blake2b_simd"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afa748e348ad3be8263be728124b24a24f268266f6f5d58af9d75f6a40b5c587"
+dependencies = [
+ "arrayref",
+ "arrayvec",
+ "constant_time_eq",
+]
+
 [[package]]
 name = "block-buffer"
 version = "0.9.0"
@@ -215,6 +244,18 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "bstr"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "473fc6b38233f9af7baa94fb5852dca389e3d95b8e21c8e3719301462c5d9faf"
+dependencies = [
+ "lazy_static",
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.4.0"
@@ -289,7 +330,8 @@ dependencies = [
  "libc",
  "num-integer",
  "num-traits",
- "time",
+ "serde",
+ "time 0.1.44",
  "winapi 0.3.9",
 ]
 
@@ -332,7 +374,7 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73d4de4f7724e5fe70addfb2bd37c2abd2f95084a429d7773b0b9645499b4272"
 dependencies = [
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "dbl",
 ]
 
@@ -352,6 +394,34 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "069b46dab00267d018567b1154f38b706d6ed93c4915301a2fa73bc24a03a1e7"
 
+[[package]]
+name = "const_fn"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28b9d6de7f49e22cf97ad17fc4036ece69300032f45f78f30b4a4482cdc3f4a6"
+
+[[package]]
+name = "constant_time_eq"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc"
+
+[[package]]
+name = "core-foundation"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a89e2ae426ea83155dccf10c0fa6b1463ef6d5fcb44cee0b224a408fa640a62"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea221b5284a47e40033bf9b66f35f984ec0ea2931eb03505246cd27a963f981b"
+
 [[package]]
 name = "cpuid-bool"
 version = "0.1.2"
@@ -364,6 +434,36 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dcb25d077389e53838a8158c8e99174c5a9d902dee4904320db714f3c653ffba"
 
+[[package]]
+name = "crc32fast"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81156fece84ab6a9f2afdb109ce3ae577e42b1228441eded99bd77f627953b1a"
+dependencies = [
+ "cfg-if 1.0.0",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02d96d1e189ef58269ebe5b97953da3274d83a93af647c2ddd6f9dab28cedb8d"
+dependencies = [
+ "autocfg",
+ "cfg-if 1.0.0",
+ "lazy_static",
+]
+
+[[package]]
+name = "crypto-mac"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab"
+dependencies = [
+ "generic-array",
+ "subtle",
+]
+
 [[package]]
 name = "crypto-mac"
 version = "0.10.0"
@@ -375,6 +475,28 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "csv"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9d58633299b24b515ac72a3f869f8b91306a3cec616a602843a383acd6f9e97"
+dependencies = [
+ "bstr",
+ "csv-core",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "csv-core"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "ct-logs"
 version = "0.7.0"
@@ -424,6 +546,33 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "dirs"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13aea89a5c93364a98e9b37b2fa237effbb694d5cfe01c5b70941f7eb087d5e3"
+dependencies = [
+ "cfg-if 0.1.10",
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e93d7f5705de3e49895a2b5e0b8855a1c27f080192ae9c32a6432d50741a57a"
+dependencies = [
+ "libc",
+ "redox_users",
+ "winapi 0.3.9",
+]
+
+[[package]]
+name = "discard"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0"
+
 [[package]]
 name = "downcast-rs"
 version = "1.2.0"
@@ -437,7 +586,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d39be153f0e278ffba17d1c05e8999641fcf3df7584a7251b5e660742fcab1ef"
 dependencies = [
  "elliptic-curve",
- "hmac",
+ "hmac 0.10.1",
  "signature",
 ]
 
@@ -532,6 +681,21 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.0.0"
@@ -564,26 +728,59 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ba62103ce691c2fd80fbae2213dfdda9ce60804973ac6b6e97de818ea7f52c8"
 
+[[package]]
+name = "futures"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da9052a1a50244d8d5aa9bf55cbc2fb6f357c86cc52e46c62ed390a7180cf150"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
 [[package]]
 name = "futures-channel"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b7109687aa4e177ef6fe84553af6280ef2778bdb7783ba44c9dc3399110fe64"
+checksum = "f2d31b7ec7efab6eefc7c57233bb10b847986139d88cc2f5a02a1ae6871a1846"
 dependencies = [
  "futures-core",
+ "futures-sink",
 ]
 
 [[package]]
 name = "futures-core"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "847ce131b72ffb13b6109a221da9ad97a64cbe48feb1028356b836b47b8f1748"
+checksum = "79e5145dde8da7d1b3892dad07a9c98fc04bc39892b1ecc9692cf53e2b780a65"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e9e59fdc009a4b3096bf94f740a0f2424c082521f20a9b08c5c07c48d90fd9b9"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28be053525281ad8259d47e4de5de657b25e7bac113458555bb4b70bc6870500"
 
 [[package]]
 name = "futures-macro"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77408a692f1f97bcc61dc001d752e00643408fbc922e4d634c655df50d595556"
+checksum = "c287d25add322d9f9abdcdc5927ca398917996600182178774032e9f8258fedd"
 dependencies = [
  "proc-macro-hack",
  "proc-macro2",
@@ -593,29 +790,33 @@ dependencies = [
 
 [[package]]
 name = "futures-sink"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f878195a49cee50e006b02b93cf7e0a95a38ac7b776b4c4d9cc1207cd20fcb3d"
+checksum = "caf5c69029bda2e743fddd0582d1083951d65cc9539aebf8812f36c3491342d6"
 
 [[package]]
 name = "futures-task"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7c554eb5bf48b2426c4771ab68c6b14468b6e76cc90996f528c3338d761a4d0d"
+checksum = "13de07eb8ea81ae445aca7b69f5f7bf15d7bf4912d8ca37d6645c77ae8a58d86"
 dependencies = [
  "once_cell",
 ]
 
 [[package]]
 name = "futures-util"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d304cff4a7b99cfb7986f7d43fbe93d175e72e704a8860787cc95e9ffd85cbd2"
+checksum = "632a8cd0f2a4b3fdea1657f08bde063848c3bd00f9bbf6e256b8be78802e624b"
 dependencies = [
+ "futures-channel",
  "futures-core",
+ "futures-io",
  "futures-macro",
+ "futures-sink",
  "futures-task",
- "pin-project 1.0.2",
+ "memchr",
+ "pin-project-lite 0.2.4",
  "pin-utils",
  "proc-macro-hack",
  "proc-macro-nested",
@@ -720,7 +921,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
 dependencies = [
  "digest",
- "hmac",
+ "hmac 0.10.1",
+]
+
+[[package]]
+name = "hmac"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840"
+dependencies = [
+ "crypto-mac 0.8.0",
+ "digest",
 ]
 
 [[package]]
@@ -729,7 +940,7 @@ version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15"
 dependencies = [
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "digest",
 ]
 
@@ -807,13 +1018,26 @@ dependencies = [
  "futures-util",
  "hyper",
  "log",
- "rustls 0.18.1",
+ "rustls",
  "tokio",
  "tokio-rustls",
  "webpki",
  "webpki-roots",
 ]
 
+[[package]]
+name = "hyper-tls"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d979acc56dcb5b8dddba3917601745e877576475aa046df3226eabdecef78eed"
+dependencies = [
+ "bytes 0.5.6",
+ "hyper",
+ "native-tls",
+ "tokio",
+ "tokio-tls",
+]
+
 [[package]]
 name = "idna"
 version = "0.2.0"
@@ -955,6 +1179,12 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08"
 
+[[package]]
+name = "md5"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
+
 [[package]]
 name = "memchr"
 version = "2.3.4"
@@ -996,12 +1226,35 @@ dependencies = [
  "kernel32-sys",
  "libc",
  "log",
- "miow",
+ "miow 0.2.1",
  "net2",
  "slab",
  "winapi 0.2.8",
 ]
 
+[[package]]
+name = "mio-named-pipes"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0840c1c50fd55e521b247f949c241c9997709f23bd7f023b9762cd561e935656"
+dependencies = [
+ "log",
+ "mio",
+ "miow 0.3.6",
+ "winapi 0.3.9",
+]
+
+[[package]]
+name = "mio-uds"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afcb699eb26d4332647cc848492bbc15eafb26f08d0304550d5aa1f612e066f0"
+dependencies = [
+ "iovec",
+ "libc",
+ "mio",
+]
+
 [[package]]
 name = "miow"
 version = "0.2.1"
@@ -1014,12 +1267,40 @@ dependencies = [
  "ws2_32-sys",
 ]
 
+[[package]]
+name = "miow"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a33c1b55807fbed163481b5ba66db4b2fa6cde694a5027be10fb724206c5897"
+dependencies = [
+ "socket2",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "multimap"
 version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1255076139a83bb467426e7f8d0134968a8118844faa755985e077cf31850333"
 
+[[package]]
+name = "native-tls"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8d96b2e1c8da3957d58100b09f102c6d9cfdfced01b7ec5a8974044bb09dbd4"
+dependencies = [
+ "lazy_static",
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
 [[package]]
 name = "net2"
 version = "0.2.35"
@@ -1120,7 +1401,7 @@ dependencies = [
  "oak_runtime",
  "oak_sign",
  "prost",
- "rustls 0.19.0",
+ "rustls",
  "serde",
  "signal-hook",
  "structopt",
@@ -1161,11 +1442,12 @@ dependencies = [
  "regex",
  "reqwest",
  "roughenough",
- "rustls 0.18.1",
+ "rustls",
  "serde",
  "serde_json",
  "sha2",
  "tink-aead",
+ "tink-awskms",
  "tink-core",
  "tink-daead",
  "tink-mac",
@@ -1233,6 +1515,39 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 
+[[package]]
+name = "openssl"
+version = "0.10.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "038d43985d1ddca7a9900630d8cd031b56e4794eecc2e9ea39dd17aa04399a70"
+dependencies = [
+ "bitflags",
+ "cfg-if 1.0.0",
+ "foreign-types",
+ "lazy_static",
+ "libc",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.60"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "921fc71883267538946025deffb622905ecad223c28efbfdef9bb59a0175f3e6"
+dependencies = [
+ "autocfg",
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "p256"
 version = "0.7.1"
@@ -1351,9 +1666,9 @@ checksum = "c917123afa01924fc84bb20c4c03f004d9c38e5127e3c039bbf7f4b9c76a2f6b"
 
 [[package]]
 name = "pin-project-lite"
-version = "0.2.0"
+version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b063f57ec186e6140e2b8b6921e5f1bd89c7356dda5b33acc5401203ca6131c"
+checksum = "439697af366c49a6d0a010c56a0d97685bc140ce0d377b13a2ea2aa42d64a827"
 
 [[package]]
 name = "pin-utils"
@@ -1370,13 +1685,19 @@ dependencies = [
  "const-oid",
 ]
 
+[[package]]
+name = "pkg-config"
+version = "0.3.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c"
+
 [[package]]
 name = "pmac"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e1c257eb89109a7e6115f40d44ca6d1816ecf9e90a1b38f6d477c78c1de505cb"
 dependencies = [
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "dbl",
 ]
 
@@ -1581,6 +1902,17 @@ version = "0.1.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce"
 
+[[package]]
+name = "redox_users"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de0737333e7a9502c789a36d7c7fa6092a49895d4faa31ca5df163857ded2e9d"
+dependencies = [
+ "getrandom",
+ "redox_syscall",
+ "rust-argon2",
+]
+
 [[package]]
 name = "regex"
 version = "1.4.2"
@@ -1593,6 +1925,15 @@ dependencies = [
  "thread_local",
 ]
 
+[[package]]
+name = "regex-automata"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae1ded71d66a4a97f5e961fd0cb25a5f366a42a41570d16a763a69c092c26ae4"
+dependencies = [
+ "byteorder",
+]
+
 [[package]]
 name = "regex-syntax"
 version = "0.6.21"
@@ -1630,8 +1971,8 @@ dependencies = [
  "mime",
  "mime_guess",
  "percent-encoding",
- "pin-project-lite 0.2.0",
- "rustls 0.18.1",
+ "pin-project-lite 0.2.4",
+ "rustls",
  "serde",
  "serde_urlencoded",
  "tokio",
@@ -1671,25 +2012,120 @@ dependencies = [
 ]
 
 [[package]]
-name = "rustls"
-version = "0.18.1"
+name = "rusoto_core"
+version = "0.45.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d1126dcf58e93cee7d098dbda643b5f92ed724f1f6a63007c1116eed6700c81"
+checksum = "e977941ee0658df96fca7291ecc6fc9a754600b21ad84b959eb1dbbc9d5abcc7"
 dependencies = [
+ "async-trait",
  "base64 0.12.3",
+ "bytes 0.5.6",
+ "crc32fast",
+ "futures",
+ "http",
+ "hyper",
+ "hyper-tls",
+ "lazy_static",
  "log",
- "ring",
- "sct",
- "webpki",
+ "md5",
+ "percent-encoding",
+ "pin-project 0.4.27",
+ "rusoto_credential",
+ "rusoto_signature",
+ "rustc_version",
+ "serde",
+ "serde_json",
+ "tokio",
+ "xml-rs",
 ]
 
 [[package]]
-name = "rustls"
-version = "0.19.0"
+name = "rusoto_credential"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ac05563f83489b19b4d413607a30821ab08bbd9007d14fa05618da3ef09d8b"
+dependencies = [
+ "async-trait",
+ "chrono",
+ "dirs",
+ "futures",
+ "hyper",
+ "pin-project 0.4.27",
+ "regex",
+ "serde",
+ "serde_json",
+ "shlex",
+ "tokio",
+ "zeroize",
+]
+
+[[package]]
+name = "rusoto_kms"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "111b99b940b1b02f5a98a5fcc96467a24ab899c43c1caff60d4a863342798c6e"
+dependencies = [
+ "async-trait",
+ "bytes 0.5.6",
+ "futures",
+ "rusoto_core",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "rusoto_signature"
+version = "0.45.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "064fd21ff87c6e87ed4506e68beb42459caa4a0e2eb144932e6776768556980b"
+checksum = "97a740a88dde8ded81b6f2cff9cd5e054a5a2e38a38397260f7acdd2c85d17dd"
+dependencies = [
+ "base64 0.12.3",
+ "bytes 0.5.6",
+ "futures",
+ "hex",
+ "hmac 0.8.1",
+ "http",
+ "hyper",
+ "log",
+ "md5",
+ "percent-encoding",
+ "pin-project 0.4.27",
+ "rusoto_credential",
+ "rustc_version",
+ "serde",
+ "sha2",
+ "time 0.2.24",
+ "tokio",
+]
+
+[[package]]
+name = "rust-argon2"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b18820d944b33caa75a71378964ac46f58517c92b6ae5f762636247c09e78fb"
 dependencies = [
  "base64 0.13.0",
+ "blake2b_simd",
+ "constant_time_eq",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "rustc_version"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "138e3e0acb6c9fb258b19b67cb8abd63c00679d2851805ea151465464fe9030a"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rustls"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d1126dcf58e93cee7d098dbda643b5f92ed724f1f6a63007c1116eed6700c81"
+dependencies = [
+ "base64 0.12.3",
  "log",
  "ring",
  "sct",
@@ -1702,6 +2138,16 @@ version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 
+[[package]]
+name = "schannel"
+version = "0.1.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75"
+dependencies = [
+ "lazy_static",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "scoped-tls"
 version = "1.0.0"
@@ -1724,6 +2170,44 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "security-framework"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1759c2e3c8580017a484a7ac56d3abc5a6c1feadf88db2f3633f12ae4268c69"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f99b9d5e26d2a71633cc4f2ebae7cc9f874044e0c351a27e17892d76dce5678b"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "semver"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
+dependencies = [
+ "semver-parser",
+]
+
+[[package]]
+name = "semver-parser"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
+
 [[package]]
 name = "serde"
 version = "1.0.118"
@@ -1780,6 +2264,12 @@ dependencies = [
  "opaque-debug",
 ]
 
+[[package]]
+name = "sha1"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2579985fda508104f7587689507983eadd6a6e84dd35d6d115361f530916fa0d"
+
 [[package]]
 name = "sha2"
 version = "0.9.2"
@@ -1793,6 +2283,12 @@ dependencies = [
  "opaque-debug",
 ]
 
+[[package]]
+name = "shlex"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
+
 [[package]]
 name = "signal-hook"
 version = "0.2.1"
@@ -1863,6 +2359,64 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
+[[package]]
+name = "standback"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c66a8cff4fa24853fdf6b51f75c6d7f8206d7c75cab4e467bcd7f25c2b1febe0"
+dependencies = [
+ "version_check",
+]
+
+[[package]]
+name = "stdweb"
+version = "0.4.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d022496b16281348b52d0e30ae99e01a73d737b2f45d38fed4edf79f9325a1d5"
+dependencies = [
+ "discard",
+ "rustc_version",
+ "stdweb-derive",
+ "stdweb-internal-macros",
+ "stdweb-internal-runtime",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "stdweb-derive"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c87a60a40fccc84bef0652345bbbbbe20a605bf5d0ce81719fc476f5c03b50ef"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_derive",
+ "syn",
+]
+
+[[package]]
+name = "stdweb-internal-macros"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58fa5ff6ad0d98d1ffa8cb115892b6e69d67799f6763e162a1c9db421dc22e11"
+dependencies = [
+ "base-x",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "sha1",
+ "syn",
+]
+
+[[package]]
+name = "stdweb-internal-runtime"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "213701ba3370744dcd1a12960caa4843b3d68b4d1c0a5d575e0d65b2ee9d16c0"
+
 [[package]]
 name = "strsim"
 version = "0.8.0"
@@ -1994,6 +2548,44 @@ dependencies = [
  "winapi 0.3.9",
 ]
 
+[[package]]
+name = "time"
+version = "0.2.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "273d3ed44dca264b0d6b3665e8d48fb515042d42466fad93d2a45b90ec4058f7"
+dependencies = [
+ "const_fn",
+ "libc",
+ "standback",
+ "stdweb",
+ "time-macros",
+ "version_check",
+ "winapi 0.3.9",
+]
+
+[[package]]
+name = "time-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "957e9c6e26f12cb6d0dd7fc776bb67a706312e7299aed74c8dd5b17ebb27e2f1"
+dependencies = [
+ "proc-macro-hack",
+ "time-macros-impl",
+]
+
+[[package]]
+name = "time-macros-impl"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5c3be1edfad6027c69f5491cf4cb310d1a71ecd6af742788c6ff8bced86b8fa"
+dependencies = [
+ "proc-macro-hack",
+ "proc-macro2",
+ "quote",
+ "standback",
+ "syn",
+]
+
 [[package]]
 name = "tink-aead"
 version = "0.1.0"
@@ -2013,6 +2605,22 @@ dependencies = [
  "tink-proto",
 ]
 
+[[package]]
+name = "tink-awskms"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "906d8f16376e9f1eba30004bf0838593d205f05615f9efc852471f66fb8f17ec"
+dependencies = [
+ "csv",
+ "hex",
+ "regex",
+ "rusoto_core",
+ "rusoto_credential",
+ "rusoto_kms",
+ "tink-core",
+ "tokio",
+]
+
 [[package]]
 name = "tink-core"
 version = "0.1.0"
@@ -2068,7 +2676,7 @@ dependencies = [
  "cmac",
  "digest",
  "hkdf",
- "hmac",
+ "hmac 0.10.1",
  "prost",
  "sha-1",
  "sha2",
@@ -2130,11 +2738,16 @@ dependencies = [
  "futures-core",
  "iovec",
  "lazy_static",
+ "libc",
  "memchr",
  "mio",
+ "mio-named-pipes",
+ "mio-uds",
  "pin-project-lite 0.1.11",
+ "signal-hook-registry",
  "slab",
  "tokio-macros",
+ "winapi 0.3.9",
 ]
 
 [[package]]
@@ -2155,11 +2768,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e12831b255bcfa39dc0436b01e19fea231a37db570686c06ee72c423479f889a"
 dependencies = [
  "futures-core",
- "rustls 0.18.1",
+ "rustls",
  "tokio",
  "webpki",
 ]
 
+[[package]]
+name = "tokio-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a70f4fcd7b3b24fb194f837560168208f669ca8cb70d0c4b862944452396343"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-util"
 version = "0.3.1"
@@ -2531,6 +3154,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "vcpkg"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b00bca6106a5e23f3eee943593759b7fcddb00554332e856d990c893966879fb"
+
 [[package]]
 name = "vec_map"
 version = "0.8.2"
@@ -2787,6 +3416,12 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "85e60b0d1b5f99db2556934e21937020776a5d31520bf169e851ac44e6420214"
 
+[[package]]
+name = "xml-rs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b07db065a5cf61a7e4ba64f29e67db906fb1787316516c4e6e5ff0fea1efcd8a"
+
 [[package]]
 name = "zeroize"
 version = "1.2.0"
diff --git a/oak_loader/Cargo.toml b/oak_loader/Cargo.toml
index 6feb396bbbc..acd33cc4513 100644
--- a/oak_loader/Cargo.toml
+++ b/oak_loader/Cargo.toml
@@ -11,9 +11,10 @@ edition = "2018"
 license = "Apache-2.0"
 
 [features]
+# Enabling these features enables the features of the same name in the oak_runtime crate.
+# https://doc.rust-lang.org/cargo/reference/features.html#the-features-section
+awskms = ["oak_runtime/awskms"]
 oak_debug = ["oak_runtime/oak_debug"]
-# Enabling this feature enables the feature of the same name in the
-# oak_runtime create. https://doc.rust-lang.org/cargo/reference/features.html#the-features-section
 oak_introspection_client = ["oak_runtime/oak_introspection_client"]
 default = ["oak_debug"]
 
diff --git a/oak_loader/deny.toml b/oak_loader/deny.toml
index 9dcba673360..faaaf8c9c3e 100644
--- a/oak_loader/deny.toml
+++ b/oak_loader/deny.toml
@@ -13,6 +13,8 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
 ]
 
 # Deny multiple versions unless explicitly skipped.
diff --git a/oak_loader/src/options.rs b/oak_loader/src/options.rs
index b37b4cbf8a2..56152c1b4e1 100644
--- a/oak_loader/src/options.rs
+++ b/oak_loader/src/options.rs
@@ -89,6 +89,8 @@ pub struct Opt {
     introspect_port: u16,
     #[structopt(long, help = "Starts the Runtime without an introspection server.")]
     no_introspect: bool,
+    #[structopt(long, help = "Filename for KMS credentials.")]
+    kms_credentials: Option<String>,
     #[structopt(
         long,
         help = "Configuration files to expose to the Oak Application, each in key=filename format."
@@ -152,6 +154,7 @@ pub fn create_runtime_config() -> anyhow::Result<oak_runtime::RuntimeConfigurati
         } else {
             None
         },
+        kms_credentials: opt.kms_credentials.map(std::path::PathBuf::from),
         secure_server_configuration,
         app_config,
         permissions_config,
diff --git a/oak_runtime/Cargo.lock b/oak_runtime/Cargo.lock
index 32414782c33..5a521b72c76 100644
--- a/oak_runtime/Cargo.lock
+++ b/oak_runtime/Cargo.lock
@@ -71,7 +71,7 @@ dependencies = [
  "aes",
  "cipher",
  "cmac",
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "ctr",
  "dbl",
  "pmac",
@@ -122,6 +122,18 @@ version = "1.0.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6b602bfe940d21c130f3895acd65221e8a61270debe89d628b9cb4e3ccb8569b"
 
+[[package]]
+name = "arrayref"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544"
+
+[[package]]
+name = "arrayvec"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23b62fc65de8e4e7f52534fb52b0f3ed04746ae267519eef2a83941e8085068b"
+
 [[package]]
 name = "assert_matches"
 version = "1.4.0"
@@ -177,12 +189,24 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
+[[package]]
+name = "base-x"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4521f3e3d031370679b3b140beb36dfe4801b09ac77e30c61941f97df3ef28b"
+
 [[package]]
 name = "base64"
 version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3441f0f7b02788e948e47f457ca01f1d7e6d92c693bc132c22b087d3141c03ff"
 
+[[package]]
+name = "base64"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd"
+
 [[package]]
 name = "bitflags"
 version = "1.2.1"
@@ -200,6 +224,17 @@ dependencies = [
  "wyz",
 ]
 
+[[package]]
+name = "blake2b_simd"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afa748e348ad3be8263be728124b24a24f268266f6f5d58af9d75f6a40b5c587"
+dependencies = [
+ "arrayref",
+ "arrayvec",
+ "constant_time_eq",
+]
+
 [[package]]
 name = "block-buffer"
 version = "0.9.0"
@@ -209,6 +244,18 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "bstr"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "473fc6b38233f9af7baa94fb5852dca389e3d95b8e21c8e3719301462c5d9faf"
+dependencies = [
+ "lazy_static",
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.4.0"
@@ -276,7 +323,8 @@ checksum = "942f72db697d8767c22d46a598e01f2d3b475501ea43d0db4f16d90259182d0b"
 dependencies = [
  "num-integer",
  "num-traits",
- "time",
+ "serde",
+ "time 0.1.43",
 ]
 
 [[package]]
@@ -309,7 +357,7 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73d4de4f7724e5fe70addfb2bd37c2abd2f95084a429d7773b0b9645499b4272"
 dependencies = [
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "dbl",
 ]
 
@@ -319,6 +367,34 @@ version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c5d82796b70971fbb603900a5edc797a4d9be0f9ec1257f83a1dba0aa374e3e9"
 
+[[package]]
+name = "const_fn"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28b9d6de7f49e22cf97ad17fc4036ece69300032f45f78f30b4a4482cdc3f4a6"
+
+[[package]]
+name = "constant_time_eq"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc"
+
+[[package]]
+name = "core-foundation"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a89e2ae426ea83155dccf10c0fa6b1463ef6d5fcb44cee0b224a408fa640a62"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea221b5284a47e40033bf9b66f35f984ec0ea2931eb03505246cd27a963f981b"
+
 [[package]]
 name = "cpuid-bool"
 version = "0.1.2"
@@ -331,6 +407,36 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dcb25d077389e53838a8158c8e99174c5a9d902dee4904320db714f3c653ffba"
 
+[[package]]
+name = "crc32fast"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81156fece84ab6a9f2afdb109ce3ae577e42b1228441eded99bd77f627953b1a"
+dependencies = [
+ "cfg-if 1.0.0",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02d96d1e189ef58269ebe5b97953da3274d83a93af647c2ddd6f9dab28cedb8d"
+dependencies = [
+ "autocfg",
+ "cfg-if 1.0.0",
+ "lazy_static",
+]
+
+[[package]]
+name = "crypto-mac"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab"
+dependencies = [
+ "generic-array",
+ "subtle",
+]
+
 [[package]]
 name = "crypto-mac"
 version = "0.10.0"
@@ -342,6 +448,28 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "csv"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9d58633299b24b515ac72a3f869f8b91306a3cec616a602843a383acd6f9e97"
+dependencies = [
+ "bstr",
+ "csv-core",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "csv-core"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "ct-logs"
 version = "0.7.0"
@@ -400,6 +528,33 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "dirs"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13aea89a5c93364a98e9b37b2fa237effbb694d5cfe01c5b70941f7eb087d5e3"
+dependencies = [
+ "cfg-if 0.1.10",
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e93d7f5705de3e49895a2b5e0b8855a1c27f080192ae9c32a6432d50741a57a"
+dependencies = [
+ "libc",
+ "redox_users",
+ "winapi 0.3.9",
+]
+
+[[package]]
+name = "discard"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0"
+
 [[package]]
 name = "dtoa"
 version = "0.4.6"
@@ -413,7 +568,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41fbdb4ff710acb4db8ca29f93b897529ea6d6a45626d5183b47e012aa6ae7e4"
 dependencies = [
  "elliptic-curve",
- "hmac",
+ "hmac 0.10.1",
  "signature",
 ]
 
@@ -508,6 +663,21 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "fuchsia-zircon"
 version = "0.3.3"
@@ -530,26 +700,59 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fed34cd105917e91daa4da6b3728c47b068749d6a62c59811f06ed2ac71d9da7"
 
+[[package]]
+name = "futures"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da9052a1a50244d8d5aa9bf55cbc2fb6f357c86cc52e46c62ed390a7180cf150"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
 [[package]]
 name = "futures-channel"
-version = "0.3.4"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0c77d04ce8edd9cb903932b608268b3fffec4163dc053b3b402bf47eac1f1a8"
+checksum = "f2d31b7ec7efab6eefc7c57233bb10b847986139d88cc2f5a02a1ae6871a1846"
 dependencies = [
  "futures-core",
+ "futures-sink",
 ]
 
 [[package]]
 name = "futures-core"
-version = "0.3.7"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79e5145dde8da7d1b3892dad07a9c98fc04bc39892b1ecc9692cf53e2b780a65"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18eaa56102984bed2c88ea39026cff3ce3b4c7f508ca970cedf2450ea10d4e46"
+checksum = "e9e59fdc009a4b3096bf94f740a0f2424c082521f20a9b08c5c07c48d90fd9b9"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28be053525281ad8259d47e4de5de657b25e7bac113458555bb4b70bc6870500"
 
 [[package]]
 name = "futures-macro"
-version = "0.3.7"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e36fccf3fc58563b4a14d265027c627c3b665d7fed489427e88e7cc929559efe"
+checksum = "c287d25add322d9f9abdcdc5927ca398917996600182178774032e9f8258fedd"
 dependencies = [
  "proc-macro-hack",
  "proc-macro2",
@@ -559,29 +762,33 @@ dependencies = [
 
 [[package]]
 name = "futures-sink"
-version = "0.3.5"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f2032893cb734c7a05d85ce0cc8b8c4075278e93b24b66f9de99d6eb0fa8acc"
+checksum = "caf5c69029bda2e743fddd0582d1083951d65cc9539aebf8812f36c3491342d6"
 
 [[package]]
 name = "futures-task"
-version = "0.3.7"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96d502af37186c4fef99453df03e374683f8a1eec9dcc1e66b3b82dc8278ce3c"
+checksum = "13de07eb8ea81ae445aca7b69f5f7bf15d7bf4912d8ca37d6645c77ae8a58d86"
 dependencies = [
  "once_cell",
 ]
 
 [[package]]
 name = "futures-util"
-version = "0.3.7"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "abcb44342f62e6f3e8ac427b8aa815f724fd705dfad060b18ac7866c15bb8e34"
+checksum = "632a8cd0f2a4b3fdea1657f08bde063848c3bd00f9bbf6e256b8be78802e624b"
 dependencies = [
+ "futures-channel",
  "futures-core",
+ "futures-io",
  "futures-macro",
+ "futures-sink",
  "futures-task",
- "pin-project 1.0.1",
+ "memchr",
+ "pin-project-lite 0.2.4",
  "pin-utils",
  "proc-macro-hack",
  "proc-macro-nested",
@@ -689,7 +896,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
 dependencies = [
  "digest",
- "hmac",
+ "hmac 0.10.1",
+]
+
+[[package]]
+name = "hmac"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840"
+dependencies = [
+ "crypto-mac 0.8.0",
+ "digest",
 ]
 
 [[package]]
@@ -698,7 +915,7 @@ version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15"
 dependencies = [
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "digest",
 ]
 
@@ -760,7 +977,7 @@ dependencies = [
  "httparse",
  "httpdate",
  "itoa",
- "pin-project 0.4.23",
+ "pin-project",
  "socket2",
  "tokio",
  "tower-service",
@@ -786,6 +1003,19 @@ dependencies = [
  "webpki-roots 0.20.0",
 ]
 
+[[package]]
+name = "hyper-tls"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d979acc56dcb5b8dddba3917601745e877576475aa046df3226eabdecef78eed"
+dependencies = [
+ "bytes",
+ "hyper",
+ "native-tls",
+ "tokio",
+ "tokio-tls",
+]
+
 [[package]]
 name = "idna"
 version = "0.2.0"
@@ -861,7 +1091,7 @@ version = "7.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "afabcc15e437a6484fc4f12d0fd63068fe457bf93f1c148d3d9649c60b103f32"
 dependencies = [
- "base64",
+ "base64 0.12.3",
  "pem",
  "ring",
  "serde",
@@ -933,6 +1163,12 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08"
 
+[[package]]
+name = "md5"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
+
 [[package]]
 name = "memchr"
 version = "2.3.3"
@@ -974,12 +1210,35 @@ dependencies = [
  "kernel32-sys",
  "libc",
  "log",
- "miow",
+ "miow 0.2.1",
  "net2",
  "slab",
  "winapi 0.2.8",
 ]
 
+[[package]]
+name = "mio-named-pipes"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0840c1c50fd55e521b247f949c241c9997709f23bd7f023b9762cd561e935656"
+dependencies = [
+ "log",
+ "mio",
+ "miow 0.3.6",
+ "winapi 0.3.9",
+]
+
+[[package]]
+name = "mio-uds"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afcb699eb26d4332647cc848492bbc15eafb26f08d0304550d5aa1f612e066f0"
+dependencies = [
+ "iovec",
+ "libc",
+ "mio",
+]
+
 [[package]]
 name = "miow"
 version = "0.2.1"
@@ -992,12 +1251,40 @@ dependencies = [
  "ws2_32-sys",
 ]
 
+[[package]]
+name = "miow"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a33c1b55807fbed163481b5ba66db4b2fa6cde694a5027be10fb724206c5897"
+dependencies = [
+ "socket2",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "multimap"
 version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d8883adfde9756c1d30b0f519c9b8c502a94b41ac62f696453c37c7fc0a958ce"
 
+[[package]]
+name = "native-tls"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8d96b2e1c8da3957d58100b09f102c6d9cfdfced01b7ec5a8974044bb09dbd4"
+dependencies = [
+ "lazy_static",
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
 [[package]]
 name = "net2"
 version = "0.2.34"
@@ -1091,7 +1378,7 @@ name = "oak_runtime"
 version = "0.1.0"
 dependencies = [
  "anyhow",
- "base64",
+ "base64 0.12.3",
  "byteorder",
  "bytes",
  "chrono",
@@ -1125,6 +1412,7 @@ dependencies = [
  "serde_json",
  "sha2",
  "tink-aead",
+ "tink-awskms",
  "tink-core",
  "tink-daead",
  "tink-mac",
@@ -1193,6 +1481,39 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 
+[[package]]
+name = "openssl"
+version = "0.10.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "038d43985d1ddca7a9900630d8cd031b56e4794eecc2e9ea39dd17aa04399a70"
+dependencies = [
+ "bitflags",
+ "cfg-if 1.0.0",
+ "foreign-types",
+ "lazy_static",
+ "libc",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.60"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "921fc71883267538946025deffb622905ecad223c28efbfdef9bb59a0175f3e6"
+dependencies = [
+ "autocfg",
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "p256"
 version = "0.7.2"
@@ -1241,7 +1562,7 @@ version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "59698ea79df9bf77104aefd39cc3ec990cb9693fb59c3b0a70ddf2646fdffb4b"
 dependencies = [
- "base64",
+ "base64 0.12.3",
  "once_cell",
  "regex",
 ]
@@ -1268,16 +1589,7 @@ version = "0.4.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ca4433fff2ae79342e497d9f8ee990d174071408f28f726d6d83af93e58e48aa"
 dependencies = [
- "pin-project-internal 0.4.23",
-]
-
-[[package]]
-name = "pin-project"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee41d838744f60d959d7074e3afb6b35c7456d0f61cad38a24e35e6553f73841"
-dependencies = [
- "pin-project-internal 1.0.1",
+ "pin-project-internal",
 ]
 
 [[package]]
@@ -1292,21 +1604,16 @@ dependencies = [
 ]
 
 [[package]]
-name = "pin-project-internal"
-version = "1.0.1"
+name = "pin-project-lite"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81a4ffa594b66bff340084d4081df649a7dc049ac8d7fc458d8e628bfbbb2f86"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
+checksum = "282adbf10f2698a7a77f8e983a74b2d18176c19a7fd32a45446139ae7b02b715"
 
 [[package]]
 name = "pin-project-lite"
-version = "0.1.7"
+version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "282adbf10f2698a7a77f8e983a74b2d18176c19a7fd32a45446139ae7b02b715"
+checksum = "439697af366c49a6d0a010c56a0d97685bc140ce0d377b13a2ea2aa42d64a827"
 
 [[package]]
 name = "pin-utils"
@@ -1323,13 +1630,19 @@ dependencies = [
  "der",
 ]
 
+[[package]]
+name = "pkg-config"
+version = "0.3.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c"
+
 [[package]]
 name = "pmac"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e1c257eb89109a7e6115f40d44ca6d1816ecf9e90a1b38f6d477c78c1de505cb"
 dependencies = [
- "crypto-mac",
+ "crypto-mac 0.10.0",
  "dbl",
 ]
 
@@ -1386,9 +1699,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro-hack"
-version = "0.5.18"
+version = "0.5.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99c605b9a0adc77b7211c6b1f722dcb613d68d66859a44f3d485a6da332b0598"
+checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5"
 
 [[package]]
 name = "proc-macro-nested"
@@ -1541,11 +1854,22 @@ version = "0.1.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce"
 
+[[package]]
+name = "redox_users"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de0737333e7a9502c789a36d7c7fa6092a49895d4faa31ca5df163857ded2e9d"
+dependencies = [
+ "getrandom",
+ "redox_syscall",
+ "rust-argon2",
+]
+
 [[package]]
 name = "regex"
-version = "1.3.9"
+version = "1.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
+checksum = "d9251239e129e16308e70d853559389de218ac275b515068abc96829d05b948a"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -1553,11 +1877,20 @@ dependencies = [
  "thread_local",
 ]
 
+[[package]]
+name = "regex-automata"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae1ded71d66a4a97f5e961fd0cb25a5f366a42a41570d16a763a69c092c26ae4"
+dependencies = [
+ "byteorder",
+]
+
 [[package]]
 name = "regex-syntax"
-version = "0.6.18"
+version = "0.6.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
+checksum = "b5eb417147ba9860a96cfe72a0b93bf88fee1744b5636ec99ab20c1aa9376581"
 
 [[package]]
 name = "remove_dir_all"
@@ -1574,7 +1907,7 @@ version = "0.10.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e9eaa17ac5d7b838b7503d118fa16ad88f440498bf9ffe5424e621f93190d61e"
 dependencies = [
- "base64",
+ "base64 0.12.3",
  "bytes",
  "encoding_rs",
  "futures-core",
@@ -1590,7 +1923,7 @@ dependencies = [
  "mime",
  "mime_guess",
  "percent-encoding",
- "pin-project-lite",
+ "pin-project-lite 0.1.7",
  "rustls",
  "serde",
  "serde_urlencoded",
@@ -1623,19 +1956,127 @@ dependencies = [
 name = "roughenough"
 version = "1.1.8"
 dependencies = [
- "base64",
+ "base64 0.12.3",
  "byteorder",
  "hex",
  "ring",
 ]
 
+[[package]]
+name = "rusoto_core"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e977941ee0658df96fca7291ecc6fc9a754600b21ad84b959eb1dbbc9d5abcc7"
+dependencies = [
+ "async-trait",
+ "base64 0.12.3",
+ "bytes",
+ "crc32fast",
+ "futures",
+ "http",
+ "hyper",
+ "hyper-tls",
+ "lazy_static",
+ "log",
+ "md5",
+ "percent-encoding",
+ "pin-project",
+ "rusoto_credential",
+ "rusoto_signature",
+ "rustc_version",
+ "serde",
+ "serde_json",
+ "tokio",
+ "xml-rs",
+]
+
+[[package]]
+name = "rusoto_credential"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ac05563f83489b19b4d413607a30821ab08bbd9007d14fa05618da3ef09d8b"
+dependencies = [
+ "async-trait",
+ "chrono",
+ "dirs",
+ "futures",
+ "hyper",
+ "pin-project",
+ "regex",
+ "serde",
+ "serde_json",
+ "shlex",
+ "tokio",
+ "zeroize",
+]
+
+[[package]]
+name = "rusoto_kms"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "111b99b940b1b02f5a98a5fcc96467a24ab899c43c1caff60d4a863342798c6e"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures",
+ "rusoto_core",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "rusoto_signature"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97a740a88dde8ded81b6f2cff9cd5e054a5a2e38a38397260f7acdd2c85d17dd"
+dependencies = [
+ "base64 0.12.3",
+ "bytes",
+ "futures",
+ "hex",
+ "hmac 0.8.1",
+ "http",
+ "hyper",
+ "log",
+ "md5",
+ "percent-encoding",
+ "pin-project",
+ "rusoto_credential",
+ "rustc_version",
+ "serde",
+ "sha2",
+ "time 0.2.24",
+ "tokio",
+]
+
+[[package]]
+name = "rust-argon2"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b18820d944b33caa75a71378964ac46f58517c92b6ae5f762636247c09e78fb"
+dependencies = [
+ "base64 0.13.0",
+ "blake2b_simd",
+ "constant_time_eq",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "rustc_version"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "138e3e0acb6c9fb258b19b67cb8abd63c00679d2851805ea151465464fe9030a"
+dependencies = [
+ "semver",
+]
+
 [[package]]
 name = "rustls"
 version = "0.18.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d1126dcf58e93cee7d098dbda643b5f92ed724f1f6a63007c1116eed6700c81"
 dependencies = [
- "base64",
+ "base64 0.12.3",
  "log",
  "ring",
  "sct",
@@ -1648,6 +2089,16 @@ version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 
+[[package]]
+name = "schannel"
+version = "0.1.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75"
+dependencies = [
+ "lazy_static",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.1.0"
@@ -1664,6 +2115,44 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "security-framework"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1759c2e3c8580017a484a7ac56d3abc5a6c1feadf88db2f3633f12ae4268c69"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f99b9d5e26d2a71633cc4f2ebae7cc9f874044e0c351a27e17892d76dce5678b"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "semver"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
+dependencies = [
+ "semver-parser",
+]
+
+[[package]]
+name = "semver-parser"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
+
 [[package]]
 name = "serde"
 version = "1.0.118"
@@ -1720,6 +2209,12 @@ dependencies = [
  "opaque-debug",
 ]
 
+[[package]]
+name = "sha1"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2579985fda508104f7587689507983eadd6a6e84dd35d6d115361f530916fa0d"
+
 [[package]]
 name = "sha2"
 version = "0.9.1"
@@ -1733,6 +2228,21 @@ dependencies = [
  "opaque-debug",
 ]
 
+[[package]]
+name = "shlex"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16f1d0fef1604ba8f7a073c7e701f213e056707210e9020af4528e0101ce11a6"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "signature"
 version = "1.2.2"
@@ -1768,13 +2278,12 @@ checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e"
 
 [[package]]
 name = "socket2"
-version = "0.3.12"
+version = "0.3.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03088793f677dce356f3ccc2edb1b314ad191ab702a5de3faf49304f7e104918"
+checksum = "122e570113d28d773067fab24266b66753f6ea915758651696b6e35e49f88d6e"
 dependencies = [
- "cfg-if 0.1.10",
+ "cfg-if 1.0.0",
  "libc",
- "redox_syscall",
  "winapi 0.3.9",
 ]
 
@@ -1784,6 +2293,64 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
+[[package]]
+name = "standback"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c66a8cff4fa24853fdf6b51f75c6d7f8206d7c75cab4e467bcd7f25c2b1febe0"
+dependencies = [
+ "version_check",
+]
+
+[[package]]
+name = "stdweb"
+version = "0.4.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d022496b16281348b52d0e30ae99e01a73d737b2f45d38fed4edf79f9325a1d5"
+dependencies = [
+ "discard",
+ "rustc_version",
+ "stdweb-derive",
+ "stdweb-internal-macros",
+ "stdweb-internal-runtime",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "stdweb-derive"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c87a60a40fccc84bef0652345bbbbbe20a605bf5d0ce81719fc476f5c03b50ef"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_derive",
+ "syn",
+]
+
+[[package]]
+name = "stdweb-internal-macros"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58fa5ff6ad0d98d1ffa8cb115892b6e69d67799f6763e162a1c9db421dc22e11"
+dependencies = [
+ "base-x",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "sha1",
+ "syn",
+]
+
+[[package]]
+name = "stdweb-internal-runtime"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "213701ba3370744dcd1a12960caa4843b3d68b4d1c0a5d575e0d65b2ee9d16c0"
+
 [[package]]
 name = "strsim"
 version = "0.8.0"
@@ -1914,6 +2481,44 @@ dependencies = [
  "winapi 0.3.9",
 ]
 
+[[package]]
+name = "time"
+version = "0.2.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "273d3ed44dca264b0d6b3665e8d48fb515042d42466fad93d2a45b90ec4058f7"
+dependencies = [
+ "const_fn",
+ "libc",
+ "standback",
+ "stdweb",
+ "time-macros",
+ "version_check",
+ "winapi 0.3.9",
+]
+
+[[package]]
+name = "time-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "957e9c6e26f12cb6d0dd7fc776bb67a706312e7299aed74c8dd5b17ebb27e2f1"
+dependencies = [
+ "proc-macro-hack",
+ "time-macros-impl",
+]
+
+[[package]]
+name = "time-macros-impl"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5c3be1edfad6027c69f5491cf4cb310d1a71ecd6af742788c6ff8bced86b8fa"
+dependencies = [
+ "proc-macro-hack",
+ "proc-macro2",
+ "quote",
+ "standback",
+ "syn",
+]
+
 [[package]]
 name = "tink-aead"
 version = "0.1.0"
@@ -1933,6 +2538,22 @@ dependencies = [
  "tink-proto",
 ]
 
+[[package]]
+name = "tink-awskms"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "906d8f16376e9f1eba30004bf0838593d205f05615f9efc852471f66fb8f17ec"
+dependencies = [
+ "csv",
+ "hex",
+ "regex",
+ "rusoto_core",
+ "rusoto_credential",
+ "rusoto_kms",
+ "tink-core",
+ "tokio",
+]
+
 [[package]]
 name = "tink-core"
 version = "0.1.0"
@@ -1988,7 +2609,7 @@ dependencies = [
  "cmac",
  "digest",
  "hkdf",
- "hmac",
+ "hmac 0.10.1",
  "prost",
  "sha-1",
  "sha2",
@@ -2002,7 +2623,7 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9350720ad826d3ae5773e176bd4a48bb6bb6679f9f53d18c1e7a6ac8de062251"
 dependencies = [
- "base64",
+ "base64 0.12.3",
  "prost",
  "prost-build",
  "serde",
@@ -2041,11 +2662,16 @@ dependencies = [
  "futures-core",
  "iovec",
  "lazy_static",
+ "libc",
  "memchr",
  "mio",
- "pin-project-lite",
+ "mio-named-pipes",
+ "mio-uds",
+ "pin-project-lite 0.1.7",
+ "signal-hook-registry",
  "slab",
  "tokio-macros",
+ "winapi 0.3.9",
 ]
 
 [[package]]
@@ -2071,6 +2697,16 @@ dependencies = [
  "webpki",
 ]
 
+[[package]]
+name = "tokio-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a70f4fcd7b3b24fb194f837560168208f669ca8cb70d0c4b862944452396343"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-util"
 version = "0.3.1"
@@ -2081,7 +2717,7 @@ dependencies = [
  "futures-core",
  "futures-sink",
  "log",
- "pin-project-lite",
+ "pin-project-lite 0.1.7",
  "tokio",
 ]
 
@@ -2093,7 +2729,7 @@ checksum = "74a5d6e7439ecf910463667080de772a9c7ddf26bc9fb4f3252ac3862e43337d"
 dependencies = [
  "async-stream",
  "async-trait",
- "base64",
+ "base64 0.12.3",
  "bytes",
  "futures-core",
  "futures-util",
@@ -2101,7 +2737,7 @@ dependencies = [
  "http-body",
  "hyper",
  "percent-encoding",
- "pin-project 0.4.23",
+ "pin-project",
  "prost",
  "prost-derive",
  "tokio",
@@ -2155,7 +2791,7 @@ dependencies = [
  "futures-core",
  "futures-util",
  "indexmap",
- "pin-project 0.4.23",
+ "pin-project",
  "rand",
  "slab",
  "tokio",
@@ -2175,7 +2811,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4887dc2a65d464c8b9b66e0e4d51c2fd6cf5b3373afc72805b0a60bce00446a"
 dependencies = [
  "futures-core",
- "pin-project 0.4.23",
+ "pin-project",
  "tokio",
  "tower-layer",
  "tower-service",
@@ -2189,7 +2825,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0f6b5000c3c54d269cc695dff28136bb33d08cbf1df2c48129e143ab65bf3c2a"
 dependencies = [
  "futures-core",
- "pin-project 0.4.23",
+ "pin-project",
  "tower-service",
 ]
 
@@ -2206,7 +2842,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92c3040c5dbed68abffaa0d4517ac1a454cd741044f33ab0eefab6b8d1361404"
 dependencies = [
  "futures-core",
- "pin-project 0.4.23",
+ "pin-project",
  "tokio",
  "tower-layer",
  "tower-load",
@@ -2221,7 +2857,7 @@ checksum = "8cc79fc3afd07492b7966d7efa7c6c50f8ed58d768a6075dd7ae6591c5d2017b"
 dependencies = [
  "futures-core",
  "log",
- "pin-project 0.4.23",
+ "pin-project",
  "tokio",
  "tower-discover",
  "tower-service",
@@ -2234,7 +2870,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f021e23900173dc315feb4b6922510dae3e79c689b74c089112066c11f0ae4e"
 dependencies = [
  "futures-core",
- "pin-project 0.4.23",
+ "pin-project",
  "tower-layer",
  "tower-service",
 ]
@@ -2270,7 +2906,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6727956aaa2f8957d4d9232b308fe8e4e65d99db30f42b225646e86c9b6a952"
 dependencies = [
  "futures-core",
- "pin-project 0.4.23",
+ "pin-project",
  "tokio",
  "tower-layer",
  "tower-service",
@@ -2288,7 +2924,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "127b8924b357be938823eaaec0608c482d40add25609481027b96198b2e4b31e"
 dependencies = [
- "pin-project 0.4.23",
+ "pin-project",
  "tokio",
  "tower-layer",
  "tower-service",
@@ -2302,7 +2938,7 @@ checksum = "d1093c19826d33807c72511e68f73b4a0469a3f22c2bd5f7d5212178b4b89674"
 dependencies = [
  "futures-core",
  "futures-util",
- "pin-project 0.4.23",
+ "pin-project",
  "tower-service",
 ]
 
@@ -2344,7 +2980,7 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ab7bb6f14721aa00656086e9335d363c5c8747bae02ebe32ea2c7dece5689b4c"
 dependencies = [
- "pin-project 0.4.23",
+ "pin-project",
  "tracing",
 ]
 
@@ -2432,6 +3068,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "vcpkg"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b00bca6106a5e23f3eee943593759b7fcddb00554332e856d990c893966879fb"
+
 [[package]]
 name = "vec_map"
 version = "0.8.2"
@@ -2685,6 +3327,12 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "85e60b0d1b5f99db2556934e21937020776a5d31520bf169e851ac44e6420214"
 
+[[package]]
+name = "xml-rs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b07db065a5cf61a7e4ba64f29e67db906fb1787316516c4e6e5ff0fea1efcd8a"
+
 [[package]]
 name = "zeroize"
 version = "1.2.0"
diff --git a/oak_runtime/Cargo.toml b/oak_runtime/Cargo.toml
index 7bc416e9aea..415b20a543d 100644
--- a/oak_runtime/Cargo.toml
+++ b/oak_runtime/Cargo.toml
@@ -13,6 +13,9 @@ license = "Apache-2.0"
 [features]
 oak_debug = ["regex"]
 oak_introspection_client = []
+awskms = ["tink-awskms"]
+# TODO(#745): sort out clashing dependencies
+# gcpkms = ["tink-gcpkms"]
 default = ["oak_debug"]
 
 [dependencies]
@@ -53,7 +56,10 @@ serde_json = "*"
 sha2 = "^0.9.1"
 tink-core = { version = "^0.1", features = ["json"] }
 tink-aead = "^0.1"
+tink-awskms = { version = "^0.1", optional = true }
 tink-daead = "^0.1"
+# TODO(#745): sort out clashing dependencies
+# tink-gcpkms = {version = "^0.1", optional = true }
 tink-mac = "^0.1"
 tink-prf = "^0.1"
 tink-proto = "^0.1"
diff --git a/oak_runtime/deny.toml b/oak_runtime/deny.toml
index 930f565fa29..b1e81ebdc13 100644
--- a/oak_runtime/deny.toml
+++ b/oak_runtime/deny.toml
@@ -13,6 +13,8 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
 ]
 
 # Deny multiple versions unless explicitly skipped.
diff --git a/oak_runtime/src/config.rs b/oak_runtime/src/config.rs
index 66f1eb74f97..f1691893139 100644
--- a/oak_runtime/src/config.rs
+++ b/oak_runtime/src/config.rs
@@ -32,6 +32,7 @@ pub fn configure_and_run(config: RuntimeConfiguration) -> Result<Arc<Runtime>, O
         &config.permissions_config,
         &config.secure_server_configuration,
         &config.sign_table,
+        config.kms_credentials.as_ref(),
     );
     let config_map = config.config_map.clone();
     let handle = proxy.start_runtime(config)?;
diff --git a/oak_runtime/src/lib.rs b/oak_runtime/src/lib.rs
index 777fbe79090..723597efd6e 100644
--- a/oak_runtime/src/lib.rs
+++ b/oak_runtime/src/lib.rs
@@ -92,6 +92,8 @@ pub struct RuntimeConfiguration {
     pub metrics_port: Option<u16>,
     /// Port to run an introspection server on, if provided.
     pub introspect_port: Option<u16>,
+    /// Credentials filename for KMS integration, if provided.
+    pub kms_credentials: Option<std::path::PathBuf>,
     /// Security options for server pseudo-nodes.
     pub secure_server_configuration: SecureServerConfiguration,
     /// Application configuration.
diff --git a/oak_runtime/src/node/crypto/mod.rs b/oak_runtime/src/node/crypto/mod.rs
index 5291d428419..1c77e724202 100644
--- a/oak_runtime/src/node/crypto/mod.rs
+++ b/oak_runtime/src/node/crypto/mod.rs
@@ -34,12 +34,6 @@ use tokio::sync::oneshot;
 
 mod tinkwrap;
 
-/// Cryptographic pseudo-Node.
-pub struct CryptoNode {
-    node_name: String,
-    tink: tinkwrap::TinkWrapper,
-}
-
 /// Build an [`rpc::Status`] from a [`Code`] and a message.
 pub fn rpc_status(code: Code, msg: String) -> rpc::Status {
     rpc::Status {
@@ -75,12 +69,19 @@ where
     Ok(rsp_data)
 }
 
-impl CryptoNode {
+/// gRPC server implementation for cryptographic pseudo-Node. Held in a separate structure from
+/// [`CryptoNode`] to avoid need for `Send + Sync` support.
+pub struct CryptoNodeServer {
+    node_name: String,
+    tink: tinkwrap::TinkWrapper,
+}
+
+impl CryptoNodeServer {
     /// Creates a new [`CryptoNode`] instance, but does not start it.
-    pub fn new(node_name: &str) -> Self {
+    pub fn new(node_name: &str, kms_credentials: Option<std::path::PathBuf>) -> Self {
         Self {
             node_name: node_name.to_string(),
-            tink: tinkwrap::TinkWrapper::new(),
+            tink: tinkwrap::TinkWrapper::new(kms_credentials),
         }
     }
 
@@ -154,6 +155,22 @@ impl CryptoNode {
     }
 }
 
+/// Cryptographic pseudo-Node.
+pub struct CryptoNode {
+    node_name: String,
+    kms_credentials: Option<std::path::PathBuf>,
+}
+
+impl CryptoNode {
+    /// Creates a new [`CryptoNode`] instance, but does not start it.
+    pub fn new(node_name: &str, kms_credentials: Option<std::path::PathBuf>) -> Self {
+        Self {
+            node_name: node_name.to_string(),
+            kms_credentials,
+        }
+    }
+}
+
 impl super::Node for CryptoNode {
     fn node_type(&self) -> &'static str {
         "crypto"
@@ -168,19 +185,22 @@ impl super::Node for CryptoNode {
 
     /// Main execution loop for the crypto pseudo-Node.
     fn run(
-        mut self: Box<Self>,
+        self: Box<Self>,
         runtime: RuntimeProxy,
         handle: oak_abi::Handle,
         _notify_receiver: oneshot::Receiver<()>,
     ) {
         info!("{}: Starting crypto pseudo-Node", self.node_name);
+
+        let mut server = CryptoNodeServer::new(&self.node_name, self.kms_credentials.clone());
+
         // Create a [`Receiver`] used for reading gRPC invocations.
         let receiver = Receiver::<Invocation>::new(ReadHandle { handle });
         loop {
             debug!("Waiting for gRPC invocation");
             match receiver.receive(&runtime) {
                 Ok(invocation) => {
-                    self.process_invocation(&runtime, &invocation);
+                    server.process_invocation(&runtime, &invocation);
                     invocation.close(&runtime);
                 }
                 Err(OakError::OakStatus(OakStatus::ErrTerminated)) => {
diff --git a/oak_runtime/src/node/crypto/tinkwrap.rs b/oak_runtime/src/node/crypto/tinkwrap.rs
index 1cc3106c3d6..90dd2eef62f 100644
--- a/oak_runtime/src/node/crypto/tinkwrap.rs
+++ b/oak_runtime/src/node/crypto/tinkwrap.rs
@@ -15,6 +15,7 @@
 //
 
 use super::rpc_status;
+use log::debug;
 use oak_services::proto::{
     google::{rpc, rpc::Code},
     oak::{crypto, crypto::keyset_generate_request::TemplateId},
@@ -28,14 +29,25 @@ fn tinkerr(e: tink_core::TinkError) -> rpc::Status {
     rpc_status(Code::Internal, format!("{:?}", e))
 }
 
-/// Wrapper around the Tink cryptographic library which maintains a map
-/// from opaque `u64` values to `[tink_core::keyset::Handle`] objects.
+/// Alias type for a [`tink_core::Aead`] that is backed by a KMS.
+type KmsAead = Box<dyn tink_core::Aead>;
+
+/// Possible types that opaque `u64` API values refer to,
+/// either `[tink_core::keyset::Handle`]s or a [`KmsAead`].
+enum Keyset {
+    Local(tink_core::keyset::Handle),
+    Proxy(KmsAead),
+}
+
+/// Wrapper around the Tink cryptographic library which maintains a map from opaque `u64` values to
+/// objects that can perform cryptographic operations.
 pub struct TinkWrapper {
-    handles: HashMap<u64, tink_core::keyset::Handle>,
+    handles: HashMap<u64, Keyset>,
+    kms_credentials: Option<std::path::PathBuf>,
 }
 
 impl TinkWrapper {
-    pub fn new() -> TinkWrapper {
+    pub fn new(kms_credentials: Option<std::path::PathBuf>) -> TinkWrapper {
         tink_aead::init();
         tink_daead::init();
         tink_mac::init();
@@ -43,28 +55,61 @@ impl TinkWrapper {
         tink_signature::init();
         TinkWrapper {
             handles: HashMap::new(),
+            kms_credentials,
         }
     }
 
-    /// Register a [`tink_core::keyset::Handle`] and return an opaque `u64` that will
-    /// be used to refer to this keyset on the gRPC API.
-    fn register_handle(&mut self, kh: tink_core::keyset::Handle) -> u64 {
+    /// Register a [`Keyset`] and return an opaque `u64` that will be used to refer
+    /// to it on the gRPC API.
+    fn register_keyset(&mut self, k: Keyset) -> u64 {
         loop {
             let candidate = rand::thread_rng().next_u64();
             if self.handles.get(&candidate).is_none() {
-                self.handles.insert(candidate, kh);
+                self.handles.insert(candidate, k);
                 return candidate;
             }
         }
     }
 
-    /// Retrieve the [`tink_core::keyset::Handle`] that corresponds to an opaque `u64` value.
-    fn get_handle(&self, h: u64) -> Result<&tink_core::keyset::Handle, rpc::Status> {
+    /// Register a [`tink_core::keyset::Handle`] and return an opaque `u64` that will
+    /// be used to refer to this keyset on the gRPC API.
+    fn register_handle(&mut self, kh: tink_core::keyset::Handle) -> u64 {
+        self.register_keyset(Keyset::Local(kh))
+    }
+
+    /// Register a [`KmsAead`] and return an opaque `u64` that will
+    /// be used to refer to it on the gRPC API.
+    fn register_kms_aead(&mut self, aead: KmsAead) -> u64 {
+        self.register_keyset(Keyset::Proxy(aead))
+    }
+
+    /// Retrieve the [`Keyset`] that corresponds to an opaque `u64` value.
+    fn get_keyset(&self, h: u64) -> Result<&Keyset, rpc::Status> {
         self.handles
             .get(&h)
             .ok_or_else(|| rpc_status(Code::InvalidArgument, "unknown keyset handle".to_string()))
     }
 
+    /// For AEAD operations (only), the opaque `u64` may refer to either a local handle or
+    /// to a KMS-backed AEAD.
+    fn get_aead(&self, h: u64) -> Result<Box<dyn tink_core::Aead>, rpc::Status> {
+        Ok(match self.get_keyset(h)? {
+            Keyset::Local(kh) => tink_aead::new(&kh).map_err(tinkerr)?,
+            Keyset::Proxy(aead) => aead.box_clone(),
+        })
+    }
+
+    /// Retrieve the [`tink_core::keyset::Handle`] that corresponds to an opaque `u64` value.
+    fn get_handle(&self, h: u64) -> Result<&tink_core::keyset::Handle, rpc::Status> {
+        match self.get_keyset(h)? {
+            Keyset::Local(kh) => Ok(&kh),
+            Keyset::Proxy(_) => Err(rpc_status(
+                Code::InvalidArgument,
+                "wrong keyset type".to_string(),
+            )),
+        }
+    }
+
     pub fn generate(
         &mut self,
         req: crypto::KeysetGenerateRequest,
@@ -115,8 +160,7 @@ impl TinkWrapper {
         &self,
         req: crypto::KeysetBindRequest,
     ) -> Result<crypto::KeysetBindResponse, rpc::Status> {
-        let kh = self.get_handle(req.keyset_handle)?;
-        let aead = tink_aead::new(&kh).map_err(tinkerr)?;
+        let aead = self.get_aead(req.keyset_handle)?;
         let inner_kh = self.get_handle(req.inner_keyset_handle)?;
 
         let mut encrypted_keyset = vec![];
@@ -146,8 +190,7 @@ impl TinkWrapper {
         &mut self,
         req: crypto::KeysetUnbindRequest,
     ) -> Result<crypto::KeysetResponse, rpc::Status> {
-        let kh = self.get_handle(req.keyset_handle)?;
-        let aead = tink_aead::new(&kh).map_err(tinkerr)?;
+        let aead = self.get_aead(req.keyset_handle)?;
 
         let inner_kh = match crypto::KeysetFormat::from_i32(req.format) {
             Some(crypto::KeysetFormat::Binary) => read_keyset_with(
@@ -173,22 +216,27 @@ impl TinkWrapper {
     }
 
     pub fn kms_proxy(
-        &self,
-        _req: crypto::KmsProxyRequest,
+        &mut self,
+        req: crypto::KmsProxyRequest,
     ) -> Result<crypto::KeysetResponse, rpc::Status> {
-        // TODO(#745): implement KMS integration
-        Err(rpc_status(Code::Internal, "not implemented".to_string()))
+        let kms_client = self.get_kms_client(&req.kms_identifier).map_err(tinkerr)?;
+        let aead = kms_client.get_aead(&req.kms_identifier).map_err(tinkerr)?;
+
+        let api_handle = self.register_kms_aead(aead);
+        Ok(crypto::KeysetResponse {
+            keyset_handle: api_handle,
+        })
     }
 
     pub fn encrypt(
         &self,
         req: crypto::AeadEncryptRequest,
     ) -> Result<crypto::AeadEncryptResponse, rpc::Status> {
-        let kh = self.get_handle(req.keyset_handle)?;
-        let d = tink_aead::new(&kh).map_err(tinkerr)?;
-        let ct = d
+        let aead = self.get_aead(req.keyset_handle)?;
+        let ct = aead
             .encrypt(&req.plaintext, &req.associated_data)
             .map_err(tinkerr)?;
+
         Ok(crypto::AeadEncryptResponse { ciphertext: ct })
     }
 
@@ -196,9 +244,8 @@ impl TinkWrapper {
         &self,
         req: crypto::AeadDecryptRequest,
     ) -> Result<crypto::AeadDecryptResponse, rpc::Status> {
-        let kh = self.get_handle(req.keyset_handle)?;
-        let d = tink_aead::new(&kh).map_err(tinkerr)?;
-        let pt = d
+        let aead = self.get_aead(req.keyset_handle)?;
+        let pt = aead
             .decrypt(&req.ciphertext, &req.associated_data)
             .map_err(tinkerr)?;
         Ok(crypto::AeadDecryptResponse { plaintext: pt })
@@ -279,6 +326,38 @@ impl TinkWrapper {
         d.verify(&req.signature, &req.data).map_err(tinkerr)?;
         Ok(crypto::SignatureVerifyResponse {})
     }
+
+    fn get_kms_client(
+        &self,
+        key_uri: &str,
+    ) -> Result<std::sync::Arc<dyn tink_core::registry::KmsClient>, tink_core::TinkError> {
+        debug!(
+            "retrieve KMS client for {} using credentials in {:?}",
+            key_uri, self.kms_credentials
+        );
+        #[cfg(feature = "awskms")]
+        if key_uri.starts_with(tink_awskms::AWS_PREFIX) {
+            let g = if let Some(kms_creds) = &self.kms_credentials {
+                tink_awskms::AwsClient::new_with_credentials(key_uri, &kms_creds)?
+            } else {
+                tink_awskms::AwsClient::new(key_uri)?
+            };
+            tink_core::registry::register_kms_client(g);
+            return tink_core::registry::get_kms_client(key_uri);
+        }
+        // TODO(#745): sort out clashing dependencies
+        #[cfg(feature = "gcpkms")]
+        if key_uri.starts_with(tink_gcpkms::GCP_PREFIX) {
+            let g = if let Some(kms_creds) = &self.kms_credentials {
+                tink_gcpkms::GcpClient::new_with_credentials(key_uri, &kms_creds)?
+            } else {
+                tink_gcpkms::GcpClient::new(key_uri)?
+            };
+            tink_core::registry::register_kms_client(g);
+            return tink_core::registry::get_kms_client(key_uri);
+        }
+        Err("Unrecognized key URI".into())
+    }
 }
 
 fn write_keyset_with<T: tink_core::keyset::Writer>(
diff --git a/oak_runtime/src/node/http/tests.rs b/oak_runtime/src/node/http/tests.rs
index 87bad2ba751..8b73e6fdfba 100644
--- a/oak_runtime/src/node/http/tests.rs
+++ b/oak_runtime/src/node/http/tests.rs
@@ -495,6 +495,7 @@ fn create_runtime(permissions: PermissionsConfiguration) -> RuntimeProxy {
         &permissions,
         &secure_server_config,
         &signature_table,
+        None,
     )
 }
 
diff --git a/oak_runtime/src/node/mod.rs b/oak_runtime/src/node/mod.rs
index 4bf4620470d..4ba6a579c2f 100644
--- a/oak_runtime/src/node/mod.rs
+++ b/oak_runtime/src/node/mod.rs
@@ -126,6 +126,7 @@ pub struct ServerNodeFactory {
     pub permissions_configuration: PermissionsConfiguration,
     pub secure_server_configuration: SecureServerConfiguration,
     pub signature_table: SignatureTable,
+    pub kms_credentials: Option<std::path::PathBuf>,
 }
 
 impl NodeFactory<NodeConfiguration> for ServerNodeFactory {
@@ -144,9 +145,9 @@ impl NodeFactory<NodeConfiguration> for ServerNodeFactory {
         }
 
         match &node_configuration.config_type {
-            Some(ConfigType::CryptoConfig(CryptoConfiguration {})) => {
-                Ok(Box::new(crypto::CryptoNode::new(node_name)))
-            }
+            Some(ConfigType::CryptoConfig(CryptoConfiguration {})) => Ok(Box::new(
+                crypto::CryptoNode::new(node_name, self.kms_credentials.clone()),
+            )),
             Some(ConfigType::LogConfig(LogConfiguration {})) => {
                 Ok(Box::new(logger::LogNode::new(node_name)))
             }
diff --git a/oak_runtime/src/node/wasm/tests.rs b/oak_runtime/src/node/wasm/tests.rs
index c9394aff4bb..19f03abdc9b 100644
--- a/oak_runtime/src/node/wasm/tests.rs
+++ b/oak_runtime/src/node/wasm/tests.rs
@@ -62,6 +62,7 @@ fn start_node(
         &permissions,
         &SecureServerConfiguration::default(),
         &signature_table,
+        None,
     );
     let (_write_handle, read_handle) = proxy.channel_create("", &Label::public_untrusted())?;
 
diff --git a/oak_runtime/src/proxy.rs b/oak_runtime/src/proxy.rs
index 3e4436945d4..6610f2b170c 100644
--- a/oak_runtime/src/proxy.rs
+++ b/oak_runtime/src/proxy.rs
@@ -67,6 +67,7 @@ impl RuntimeProxy {
         permissions_configuration: &PermissionsConfiguration,
         secure_server_configuration: &SecureServerConfiguration,
         signature_table: &SignatureTable,
+        kms_credentials: Option<&std::path::PathBuf>,
     ) -> RuntimeProxy {
         let runtime = Arc::new(Runtime {
             terminating: AtomicBool::new(false),
@@ -81,6 +82,7 @@ impl RuntimeProxy {
                 permissions_configuration: permissions_configuration.clone(),
                 secure_server_configuration: secure_server_configuration.clone(),
                 signature_table: signature_table.clone(),
+                kms_credentials: kms_credentials.map(|p| p.to_path_buf()),
             },
         });
         let new_node_name = "implicit.initial";
diff --git a/oak_runtime/src/tests.rs b/oak_runtime/src/tests.rs
index 6727e77f170..b8c5fbebdc1 100644
--- a/oak_runtime/src/tests.rs
+++ b/oak_runtime/src/tests.rs
@@ -68,6 +68,7 @@ fn run_node_body(node_label: &Label, node_privilege: &NodePrivilege, node_body:
             http_config: None,
         },
         &signature_table,
+        None,
     );
 
     struct TestNode {
diff --git a/oak_runtime/tests/integration_test.rs b/oak_runtime/tests/integration_test.rs
index e75eea587d5..3dd13ae80cd 100644
--- a/oak_runtime/tests/integration_test.rs
+++ b/oak_runtime/tests/integration_test.rs
@@ -69,6 +69,7 @@ mod common {
         config::configure_and_run(oak_runtime::RuntimeConfiguration {
             metrics_port: Some(crate::METRICS_PORT),
             introspect_port: None,
+            kms_credentials: None,
             secure_server_configuration: SecureServerConfiguration::default(),
             app_config: application_configuration,
             permissions_config: permissions,
diff --git a/oak_services/proto/crypto.proto b/oak_services/proto/crypto.proto
index 860ce9bb880..427cd91f35c 100644
--- a/oak_services/proto/crypto.proto
+++ b/oak_services/proto/crypto.proto
@@ -37,7 +37,7 @@ service OakCrypto {
   rpc Unbind(KeysetUnbindRequest) returns (KeysetResponse) {}
 
   // Return a keyset that acts as a proxy to key material held in
-  // an external KMS.
+  // an external KMS, suitable for use as an AEAD.
   rpc KMSProxy(KMSProxyRequest) returns (KeysetResponse) {}
 
   // All primitive operations below take a keyset handle as a primary parameter,
diff --git a/runner/src/internal.rs b/runner/src/internal.rs
index 158cca7ce6e..d05732873ee 100644
--- a/runner/src/internal.rs
+++ b/runner/src/internal.rs
@@ -114,6 +114,7 @@ pub enum ServerVariant {
     Coverage,
     Logless,
     NoIntrospectionClient,
+    Kms,
 }
 
 impl std::str::FromStr for ServerVariant {
@@ -123,6 +124,7 @@ impl std::str::FromStr for ServerVariant {
             "base" => Ok(ServerVariant::Base),
             "coverage" => Ok(ServerVariant::Coverage),
             "logless" => Ok(ServerVariant::Logless),
+            "kms" => Ok(ServerVariant::Kms),
             "no-introspection-client" => Ok(ServerVariant::NoIntrospectionClient),
             _ => Err(format!("Failed to parse server variant {}", variant)),
         }
@@ -508,6 +510,14 @@ impl Cmd {
     }
 }
 
+/// If environment variable `name` is set in the current environment, pass it through
+/// so the same value for `name` is visible when the command is executed.
+fn env_passthru(cmd: &mut tokio::process::Command, name: &str) {
+    if let Ok(v) = std::env::var(name) {
+        cmd.env(name, v);
+    }
+}
+
 impl Runnable for Cmd {
     fn description(&self) -> String {
         format!("{} {}", self.executable, self.args.join(" "))
@@ -526,22 +536,14 @@ impl Runnable for Cmd {
         // General variables.
         cmd.env("HOME", std::env::var("HOME").unwrap());
         cmd.env("PATH", std::env::var("PATH").unwrap());
-        if let Ok(v) = std::env::var("USER") {
-            cmd.env("USER", v);
-        }
+        env_passthru(&mut cmd, "USER");
 
         // Python variables.
-        if let Ok(v) = std::env::var("PYTHONPATH") {
-            cmd.env("PYTHONPATH", v);
-        }
+        env_passthru(&mut cmd, "PYTHONPATH");
 
         // Rust compilation variables.
-        if let Ok(v) = std::env::var("RUSTUP_HOME") {
-            cmd.env("RUSTUP_HOME", v);
-        }
-        if let Ok(v) = std::env::var("CARGO_HOME") {
-            cmd.env("CARGO_HOME", v);
-        }
+        env_passthru(&mut cmd, "RUSTUP_HOME");
+        env_passthru(&mut cmd, "CARGO_HOME");
 
         // Rust runtime variables.
         cmd.env(
@@ -551,15 +553,14 @@ impl Runnable for Cmd {
         cmd.env("RUST_BACKTRACE", "1");
 
         // Emscripten variables.
-        if let Ok(v) = std::env::var("EMSDK") {
-            cmd.env("EMSDK", v);
-        }
-        if let Ok(v) = std::env::var("EM_CACHE") {
-            cmd.env("EM_CACHE", v);
-        }
-        if let Ok(v) = std::env::var("EM_CONFIG") {
-            cmd.env("EM_CONFIG", v);
-        }
+        env_passthru(&mut cmd, "EMSDK");
+        env_passthru(&mut cmd, "EM_CACHE");
+        env_passthru(&mut cmd, "EM_CONFIG");
+
+        // OpenSSL variables.
+        env_passthru(&mut cmd, "PKG_CONFIG_ALLOW_CROSS");
+        env_passthru(&mut cmd, "OPENSSL_STATIC");
+        env_passthru(&mut cmd, "OPENSSL_DIR");
 
         cmd.envs(&self.env);
 
diff --git a/runner/src/main.rs b/runner/src/main.rs
index c94d1e34941..a0f249d8fc6 100644
--- a/runner/src/main.rs
+++ b/runner/src/main.rs
@@ -271,7 +271,7 @@ fn build_server(opt: &BuildServer) -> Step {
                 ),
             }],
             match opt.server_variant {
-                ServerVariant::Base | ServerVariant::Coverage => vec![Step::Single {
+                ServerVariant::Base | ServerVariant::Coverage | ServerVariant::Kms => vec![Step::Single {
                     name: "build introspection browser client".to_string(),
                     command: Cmd::new("npm",
                                       vec![
@@ -313,6 +313,10 @@ fn build_server(opt: &BuildServer) -> Step {
                                 format!("--target={}", opt.server_rust_target.as_deref().unwrap_or(DEFAULT_SERVER_RUST_TARGET)),
                                 "--release".to_string(),
                             ],
+                            ServerVariant::Kms => vec!["--features=oak_introspection_client,awskms".to_string(),
+                                format!("--target={}", opt.server_rust_target.as_deref().unwrap_or(DEFAULT_SERVER_RUST_TARGET)),
+                                "--release".to_string(),
+                            ],
                         // If building in coverage mode, use the default target from the host, and build
                         // in debug mode.
                             ServerVariant::Coverage => vec!["--features=oak_introspection_client".to_string()],
@@ -410,6 +414,11 @@ fn run_ci() -> Step {
                 server_rust_toolchain: None,
                 server_rust_target: None,
             }),
+            build_server(&BuildServer {
+                server_variant: ServerVariant::Kms,
+                server_rust_toolchain: None,
+                server_rust_target: None,
+            }),
             run_tests(),
             run_tests_tsan(),
             run_examples(&RunExamples {
diff --git a/sdk/deny.toml b/sdk/deny.toml
index 44b66ea3004..7cf79c61f1a 100644
--- a/sdk/deny.toml
+++ b/sdk/deny.toml
@@ -16,6 +16,10 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
+  # TODO: Remove when rusoto-* no longer depends on stdweb (via time).
+  "RUSTSEC-2020-0056"
 ]
 
 # Deny multiple versions unless explicitly skipped.
diff --git a/sdk/rust/oak_tests/src/lib.rs b/sdk/rust/oak_tests/src/lib.rs
index ab6c94427c5..1a413831b08 100644
--- a/sdk/rust/oak_tests/src/lib.rs
+++ b/sdk/rust/oak_tests/src/lib.rs
@@ -185,6 +185,7 @@ pub fn runtime_config_wasm(
     oak_runtime::RuntimeConfiguration {
         metrics_port: Some(9090),
         introspect_port: Some(1909),
+        kms_credentials: None,
         secure_server_configuration: oak_runtime::SecureServerConfiguration {
             grpc_config: Some(oak_runtime::GrpcConfiguration {
                 grpc_server_tls_identity: Some(Identity::from_pem(