100%
GRIMOIRE
GrimoireDindon CorpusSynthesis VolumesThe Foundation of Iron
FRENAR
← PreviousNext →
HUMAN
Structural Essay · July 2026 · Standalone Volume
◆◆◆
Identity Under License
Anatomy of IAM/KMS Lock-In
◆ Asymmetry Declaration — applicable to this entire volume

This volume does not claim that identity and encryption-key management at a cloud provider is inherently malicious. It was modeled by an infrastructure architect, audited contradictorily by two AI systems, from publicly verifiable facts — provider technical documentation, published regulatory frameworks, open standard specifications. It prosecutes no one's intent. It documents a structural mechanism by which digital identity and the encryption key remain the last lock on an architecture, even when the orchestrator is open and the data portable, and proposes a workaround architecture explicitly framed as a proposal, not a deployed solution.

◆◆◆
Amine RAITI — Infrastructure Architect & SRE
Former engineering school professor · Teaching since 2006
Public document · CC BY-NC-SA 4.0
HUMAN
Thread
What this volume will demonstrate, in order

This volume builds a chain in three stages: first, why digital identity (IAM) and the encryption key (KMS) structurally escape reversibility clauses, even when the orchestrator can be open and the data format portable (Chapter I); then, to what extent existing frameworks — the SecNumCloud referential, the European data regulation — cover or ignore this precise mechanism (Chapter II); finally, a workaround architecture built on federated workload identity and an independent key vault, with an explicit demonstration of its ultimate limit (Chapter III).

◆ The Thesis in One Sentence

An open control plane or a low-gravity data architecture remain captured in practice if identity and the encryption key stay anchored with the originating provider — identity and the key are the last lock, precisely because no portability clause targets them directly.

CHAPTER I — THE MECHANISM
I.1Identity as a RelationshipWhy an IAM identity is not an exportable artifact
I.2Material FusionThe key's anchoring in the provider's HSM and hypervisor
I.3The Theoretical AnchorArthur (1989) and Grossman & Hart (1986) applied to identity
CHAPTER II — THE EXISTING SHIELD, ITS LIMITS
II.1SecNumCloud and Key ManagementA demanding referential on encryption, silent on portability
II.2The Data Act's Blind SpotArticle 30 and the ambiguity on exporting functional keys
CHAPTER III — PROPOSAL
III.1The Straw Man RejectedWhy Keycloak and Vault alone are not enough
III.2Federated Workload IdentitySPIFFE/SPIRE and the independent key vault
III.3The Functional FreezeThe root of trust stays signed by the proprietary hypervisor
HUMAN
I.1
An access right is not a file
Identity as a relationship, not an exportable artifact
CHAPTER I — THE MECHANISM

Volumes VII and VIII of this collection each established that a reconquest architecture can neutralize the orchestrator's lock-in or the lock-in of data gravity, while explicitly leaving out of scope one last mechanism: identity management (IAM) and encryption (KMS). This chapter documents that mechanism for the first time in this collection.

◆ The central mechanism

An IAM identity is not a file you export: it is a living relationship, valid only inside the trust graph of the provider that issued it. A role, an instance profile, a managed identity only make sense within the directory, policies, and verification infrastructure of the originating provider. Migrating an organization elsewhere does not migrate this relationship — it must be recreated from scratch inside the new provider's trust graph.

◆ Asymmetry between data and identity

Encrypted data can, in theory, be copied bit for bit to another infrastructure. An identity cannot be copied the same way: it is not a static value, but the result of a continuous attestation process — verifying the origin of the request, the integrity of the call chain, the temporal validity of the token. Copying the representation of an identity without copying the attestation process that validates it produces nothing usable.

HUMAN
I.2
The HSM does not lend, it retains
Material fusion — why the key never leaves the provider

The encryption key follows a similar logic, but with an added material constraint: across the three main hyperscalers (AWS, Azure, Google Cloud), the default encryption key generated by the native managed key service is, by design, never exportable in the clear.

◆ The empirical materiality — the AWS KMS case

AWS KMS technical documentation explicitly states that a key whose origin (the Origin parameter) is AWS_KMS can never be extracted, exported, or viewed outside the hardware security module (HSM) that holds it — only the public portion of an asymmetric key is an exception. The documentation also confirms that the format of symmetric ciphertexts produced by AWS KMS is not published, and that no other system, including another HSM, can decrypt content encrypted by that key.

◆ The empirical materiality — the Azure Key Vault case

Official Microsoft documentation confirms that a key protected by Azure Key Vault HSMs (Premium tier, nCipher/Thales chips, FIPS 140-2 Level 2 validation) can never be exported: the Key Exchange Key generated inside the HSM never exists in the clear outside of it, and no decrypted version of the customer's key can ever be returned by Microsoft once transferred. The associated application identity (Managed Identity) is itself tied to a service principal in Entra ID, valid only within the originating Azure tenant's directory.

◆ The empirical materiality — the Google Cloud KMS case

Official Google Cloud documentation confirms that a key created with an HSM protection level (ProtectionLevel=HSM) is generated, wrapped, and used exclusively inside HSMs certified at FIPS 140-2 Level 3: the service's very design guarantees the key can neither be unwrapped nor used outside the HSM, nor extracted from it. Workload Identity Federation, which avoids creating exportable service-account keys, remains itself a feature of Google Cloud's IAM control plane, activated and revocable only from that same control plane.

◆ What this symmetry establishes

All three hyperscalers converge on the same architecture: the encryption key generated by their native managed service never leaves their HSMs, whatever the precise FIPS certification (Level 2 for Azure Key Vault Premium, Level 3 for AWS CloudHSM and Google Cloud HSM). The mechanism documented in Chapter I is therefore not a quirk of a single provider, but a shared architectural convention across the three main market players.

◆ What this concretely means for an organization

An organization that wants to change cloud providers without losing access to its already-encrypted data must either re-encrypt the entire relevant data volume with a new key before the switch — an operation whose cost grows linearly with the volume of data already accumulated — or accept remaining dependent on the originating provider's key service to decrypt what was already encrypted there, even after the compute infrastructure itself has switched.

◆ What this mechanism does not claim

This chapter does not claim that external key import (Bring Your Own Key) resolves this mechanism: this feature, available across all three hyperscalers, moves key generation outside the provider but changes neither the HSM's hardware attestation nor the dependency on the proprietary API for every decrypt operation.

HUMAN
I.3
Two theories, one impasse
The theoretical anchor — increasing returns and residual control rights

Two distinct theoretical anchors, applied together, account for this mechanism without reducing it to mere contractual negligence on the providers' part.

◆ First anchor — Arthur (1989), increasing returns and historical lock-in

W. Brian Arthur ("Competing Technologies, Increasing Returns, and Lock-In by Historical Events", The Economic Journal, vol. 99, 1989) established that an initial technical choice, even a minor one, can become locked in through the cumulative effect of small historical events reinforced by increasing returns — without any single identifiable decision being responsible. The initial choice of an identity provider fits this dynamic: each additional service connected to that directory, each additional access policy written in its proprietary language, raises the cost of any later migration without any one migration ever having, on its own, caused the lock-in.

◆ Second anchor — Grossman & Hart (1986), residual rights of control

Grossman and Hart ("The Costs and Benefits of Ownership: A Theory of Vertical and Lateral Integration", Journal of Political Economy, vol. 94, 1986) distinguish specific rights, enumerable in a contract, from residual rights, which default to whoever owns the asset. Applied to identity and the key: the cloud service contract can enumerate specific rights (access, use, portability of raw data), but the residual right over the hardware attestation chain — which HSM signs, which hypervisor attests a virtual machine's boot — remains, by construction, the property of the provider that owns the silicon. No portability clause transfers this residual right, because it was never a negotiable specific right.

◆ What articulating the two anchors establishes

Identity and the key are locked in both by an unintentional cumulative effect (Arthur) and by a structural asymmetry of ownership over the physical infrastructure that authenticates them (Grossman & Hart). The second anchor explains why this lock-in resists even an open orchestrator governance model (Vol. VII): software governance does not transfer ownership of the HSM.

HUMAN
II.1
Protecting the key is not freeing it
SecNumCloud and key management — a demanding referential, silent on portability
CHAPTER II — THE EXISTING SHIELD, ITS LIMITS

The ANSSI's SecNumCloud requirements referential (version 3.2) imposes precise obligations on qualified providers regarding encryption key management — but these obligations concern the robustness of that management, not its portability upon a change of provider.

◆ What SecNumCloud actually requires

The referential requires secure encryption key management including dedicated procedures for generation, storage, distribution, and revocation, along with cryptographic requirements consistent with ANSSI recommendations (general security referential, annex B1). Encryption of data at rest and in transit must be systematic. These requirements target the robustness of protection — they do not address what happens to a functional key when the provider is left.

◆ The blind spot identified

Nothing in SecNumCloud's documented requirements obliges a qualified provider to guarantee the operational exportability of an encryption key generated under its control toward another provider's infrastructure. The referential protects the key's integrity and confidentiality while it remains with the qualified provider — it does not address its portability at the moment of exit.

◆ What this finding does not claim

This chapter does not claim this blind spot constitutes a design flaw in the SecNumCloud referential: the robustness of cryptographic protection and the portability of a functional key are two objectives in tension, and a security referential would normally favor the former. This chapter documents a scope limit, not a negligence.

HUMAN
II.2
Functional equivalence stops where the silicon begins
The Data Act's blind spot — Article 30 facing the functional key

The EU Data Act (Regulation 2023/2854), applicable since September 12, 2025, imposes on cloud service providers a switching regime built on "functional equivalence" and interoperability.

◆ What Article 30 actually requires

Article 30 of the Data Act requires, for infrastructure-type services (IaaS), that the originating provider take all reasonable measures to enable the customer to achieve functional equivalence in the new service's environment, by providing the necessary capabilities, information, documentation, technical assistance and tools. For other services (PaaS, SaaS), the obligation covers making open, free interfaces available that facilitate data portability and interoperability.

◆ The blind spot identified — precise textual anchor

Article 2, point 38, of the Regulation defines "exportable data" by explicitly excluding data whose export would expose the provider to a cybersecurity vulnerability, as well as assets protected by intellectual property rights or trade secrets. The notion of "digital asset", moreover, only covers elements for which the customer has a right of use independent of the contractual relationship with the provider being left. An encryption key generated and held by the provider's managed key service clearly meets neither criterion: it was never a right held independently of that contract, and its functional export could, by construction, fall under service security. Nothing in the text, however, explicitly settles this case — it is precisely this absence of unambiguous qualification, rather than a named exclusion, that constitutes the blind spot documented here.

◆ What this chapter does not claim to settle

This chapter does not claim the Data Act deliberately ignores the question of keys — the absence of explicit mention could equally reflect an oversight or an implicit reference to the general notion of functional equivalence. This chapter documents a zone of legal uncertainty, not a definitive conclusion about legislative intent.

HUMAN
III.1
Replacing the software does not replace the silicon
The straw man rejected — why Keycloak and Vault alone are not enough
CHAPTER III — PROPOSAL

Facing the mechanism documented in Chapters I and II, a theoretically appealing but architecturally insufficient response consists of proposing the simple software replacement of the identity provider and key vault with self-hosted open-source equivalents.

◆ The straw man identified and rejected

Deploying an open-source identity provider (e.g. Keycloak) and a self-hosted key vault (e.g. HashiCorp Vault) does not resolve the mechanism documented in Chapter I: these tools handle application-level authentication — verifying that a user or service carries a valid token — not infrastructure-level authentication, i.e. verifying, at the moment a virtual machine or container boots on the provider's silicon, that this boot itself is legitimate. This second layer remains, by construction, under the control of the proprietary hypervisor.

◆ Why this solution collapses in front of a cloud engineer

A self-hosted application identity provider can authenticate human users and high-level services. It cannot, however, substitute for the hardware attestation that certifies a given workload is actually running on the hardware it claims to use — this attestation requires access to the provider's root of trust (security chip, hypervisor microcode), which no client software can reproduce from the outside.

HUMAN
III.2
Federate identity, don't suffer it
Federated workload identity — SPIFFE/SPIRE and the independent key vault

The frontier of what is technically conceivable today to partially work around this mechanism rests on attested workload identity rather than application identity alone.

◆ The proposal — SPIFFE/SPIRE and the independent key vault

The open standard SPIFFE (Secure Production Identity Framework for Everyone), implemented by SPIRE, allows attesting a workload's identity from verifiable node and process properties — rather than a shared secret — and federating that identity across multiple cloud providers via interoperable trust domains. Paired with an independent key vault following an interoperability protocol such as KMIP (Key Management Interoperability Protocol), this standard offers portability of the identity and key-management application layer that neither Keycloak nor Vault alone provide.

◆ What this proposal actually delivers

An organization using SPIFFE/SPIRE can carry the same cryptographically verifiable workload identity across several cloud environments simultaneously — a necessary condition for a provider switch not to immediately break the application authorization chain.

◆ What this proposal does not resolve alone — flagged now

This proposal does not settle the question raised in Chapter I about the root of trust at machine boot — it shifts it one level down, from the application layer to the node-attestation layer, which itself remains dependent on the provider. This point is developed explicitly in III.3.

HUMAN
III.3
The root of trust cannot be outsourced
The functional freeze — why the hypervisor's signature remains the last word

SPIRE's own technical documentation specifies the node-attestation mechanism, and this mechanism reveals the ultimate limit of any workaround architecture.

◆ The functional freeze — the root of trust stays with the provider

Node attestation in SPIRE — the step by which a SPIRE agent proves to the server that it is indeed running on the node it claims to be — typically relies on metadata APIs specific to each cloud provider (AWS EC2 instance identity document, GCP instance metadata tokens, Azure managed identity attestation). In other words: even the most advanced implementation of federated workload identity depends, at its very first link, on the signature issued by the originating provider's hypervisor at the moment the machine boots on its silicon.

◆ The explicit trade-off this finding imposes

Fully escaping this dependency requires giving up the most performant managed abstractions — Serverless, native PaaS — to drop down to a rawer compute level, where the organization itself controls hardware attestation (for example via its own security chips on infrastructure it owns). This is a functional freeze symmetric to those already accepted in Volumes VII and VIII: an explicit trade-off between operational comfort and sovereignty, not a costless solution.

◆ What this volume does not claim to resolve

This volume does not claim that combining SPIFFE/SPIRE with an independent key vault eliminates the mechanism documented in Chapter I. It establishes that this combination represents the frontier of what is conceivable without giving up managed services — and that this frontier leaves standing, at its root, exactly the lock it seeks to work around.

HUMAN
Closing
One last lock, an acknowledged boundary

This volume has documented a mechanism left out of scope by Volumes VII and VIII: digital identity and the encryption key are not exportable artifacts, but attestation relationships anchored in the provider's trust graph and silicon. Neither an open orchestrator governance model nor data-format portability suffice to neutralize this last lock.

◆ The Thesis in One Sentence

An open control plane and portable data remain captured in practice if the identity accessing them and the key decrypting them stay, at their root, signed by a single provider.

◆ What this volume does not claim to resolve — open call

This volume does not claim to offer a complete, costless solution to IAM/KMS lock-in: the Chapter III proposal shifts the problem toward the node-attestation layer without eliminating it, and its real cost — in lost operational comfort — has not been quantified here for lack of a publicly documented large-scale deployed case. We explicitly invite any architect who has implemented SPIFFE/SPIRE in multi-cloud production to document that experience and correct or enrich this anatomy.

◆◆◆

A key you cannot take with you is not a key you own. It is a right of use, revocable by construction, held by whoever controls the silicon.

◆◆◆
Amine RAITI · CC BY-NC-SA 4.0
HUMAN
Methodological Appendix
Presentation of the format — traceability of the contradictory cycle

This appendix documents, in shorthand form, the actual course of this volume's contradictory production cycle: Amine RAITI defined the project and arbitrated points of disagreement, Claude drafted the framing and successive drafts and carried out independent factual verification, and Gemini audited each delivery as Forensic Auditor.

◆ Why this appendix exists

No claim in this volume is presented as sourced from memory. This appendix lets any reader verify, step by step, what Amine asked for, what Claude independently verified before writing, and what Gemini validated, rejected, or had corrected — rather than integrating a suggestion under reserve.

HUMAN
Methodological Appendix
The initial framing — thesis, anchors, arbitrations

Amine submitted to Claude the provisional thesis of IAM/KMS lock-in as the last lock surviving the opening of the orchestrator (Vol. VII) and the portability of the data format (Vol. VIII). Claude drafted a framing prompt from this thesis and submitted it to Gemini for audit.

◆ Points settled at framing

Gemini proposed the reference "Path Dependency and Architectural Interlocking, Arthur 1989"; Claude independently verified this reference and corrected the article's real title, "Competing Technologies, Increasing Returns, and Lock-In by Historical Events". Gemini then required a second anchor, Grossman & Hart (1986), to cover the material-fusion dimension; Claude verified it independently before integrating it.

◆ Arbitration on the straw man

Gemini rejected the proposal to reformulate the Keycloak/Vault replacement already covered in Volume IV, judged insufficient against the technical objection of workload identity. Claude redirected the empirical target toward SPIFFE/SPIRE and the KMIP protocol, verified independently before drafting Chapter III.

HUMAN
Methodological Appendix
Chapter I — verifications performed, reservations flagged

Before drafting Chapter I, Claude independently verified five elements: the corrected Arthur (1989) reference, the Grossman & Hart (1986) reference, and the technical documentation of AWS KMS, Azure Key Vault, and Google Cloud KMS, each confirming the non-exportability of their native HSM keys.

◆ Verification status

Claude confirmed both theoretical references through independent research (exact title, journal, volume, pages). He confirmed the empirical materiality on AWS KMS, Azure Key Vault (nCipher/Thales, FIPS 140-2 Level 2) and Google Cloud KMS (FIPS 140-2 Level 3) directly from each of the three providers' official documentation, as part of the global audit Gemini requested on the first draft. Claude flagged, rather than silently corrected, an error in the FIPS level Gemini initially advanced for Azure (Level 3 proposed, Level 2 confirmed by Microsoft's documentation).

HUMAN
Methodological Appendix
Chapter II — verifications performed, reservations flagged

Before drafting Chapter II, Claude verified the ANSSI's SecNumCloud v3.2 referential and Articles 2 and 30 of Regulation (EU) 2023/2854 (Data Act) through independent research.

◆ Verification status

Claude confirmed, from several concordant sources, the content of SecNumCloud's key-management requirements (generation, storage, distribution, revocation), none of which mention any obligation to port a functional key. Gemini had proposed a textual quotation of Article 30; Claude judged it too approximate to reproduce as-is after verification, and substituted a more precise anchor, grounded in the definition of "exportable data" (Art. 2, point 38 — cybersecurity-risk exclusion) and "digital asset" (right of use independent of the contract), corroborating Gemini's semantic-gap hypothesis without reproducing his inaccurate wording.

HUMAN
Methodological Appendix
Chapter III — verifications performed, reservations flagged

Before drafting Chapter III, Claude independently verified SPIFFE/SPIRE's technical documentation, in particular the node-attestation mechanism on which Gemini had based his demand to neutralize the straw man.

◆ Verification status

Claude confirmed, from several concordant technical sources, that node attestation in SPIRE relies on metadata APIs specific to each cloud provider (AWS EC2 instance identity document, GCP metadata tokens, Azure attestation). This confirmation let Claude validate Chapter III's central demonstration without asserting it from memory.

HUMAN
Methodological Appendix
The global audit — verdict, validated points, corrections made

Claude submitted a global audit to Gemini on the complete first draft (vol9_fr_jet1.html), delivered as a single block on an experimental basis. Gemini issued his verdict: logical partial refusal, with matrix-hardening injections required. He judged the conceptual armature (identity as relationship, material fusion, theoretical anchor) stable and free of semantic drift from Chapter I to the close.

◆ Points Gemini validated without reservation

The Arthur (1989) / Grossman & Hart (1986) articulation in Chapter I. The functional-freeze demonstration in Chapter III (SPIFFE/SPIRE, node attestation dependent on the originating provider's metadata), judged embodied and unassailable. The negative citation of HashiCorp Vault and Keycloak as a rejected straw man, judged healthy by Gemini for the corpus's continuity against Volume IV.

◆ Points on which Gemini issued a partial refusal, corrected by Claude in this draft

Gemini flagged a materiality asymmetry between AWS on one hand, Azure and Google Cloud on the other in Chapter I; Claude corrected it by injecting symmetric empirical materiality for all three providers. Gemini judged the legal uncertainty in Chapter II on the Data Act insufficiently textually anchored; Claude corrected it with an anchor on Article 2, points 37 and 38, after finding Gemini's proposed quotation was not verifiable as-is.

◆ What remains open after this iteration

Gemini judged the modified production protocol (complete draft followed by a single global audit) experimentally useful but degraded compared to the standard chapter-by-chapter cycle, and set the return to the standard protocol for Volume X. Gemini further requested an immediate trilingual draft; Amine ruled the opposite way, deciding the volume stays French-only until fully validated and hardened.

HUMAN
Methodological Appendix
Independent counter-audit — double validation before final closing

Alongside Gemini's second global audit, Amine asked Claude to run his own independent quality check on the sealed file, without assuming Gemini's verdict alone guarantees the volume's factual accuracy.

◆ What Claude independently reconfirmed

Claude re-verified directly from each of the three providers' official documentation the non-exportability of AWS KMS, Azure Key Vault Premium (FIPS 140-2 Level 2), and Google Cloud KMS (FIPS 140-2 Level 3) keys. He judged the Arthur (1989) and Grossman & Hart (1986) references stable, and cross-checked against the Regulation's exact text the point numbers cited in Data Act Article 2 (37 — functional equivalence, 38 — exportable data), which he confirmed correct.

◆ A nuance Claude flagged in Gemini's justification, with no impact on the sealed text

Gemini justified his initial audit report by stating he had meant the Azure Dedicated HSM service (Level 3) rather than Key Vault Premium. Claude verified this fact, true in isolation — Dedicated HSM does reach Level 3 — but noted that Gemini's original wording had grouped these two distinct Azure offerings under a single certification level, which amounted to a conflation. The correction Claude had already made in draft 2 (Level 2 for Key Vault Premium) remains accurate and needed no further adjustment after this counter-audit.

◆ What this counter-audit does not replace

This independent check conducted by Claude does not claim to replace the contradictory audit cycle with Gemini — it supplements it as a double validation explicitly requested by Amine before considering the French volume's sealing definitively acquired, following the principle that two independent verifications are better than one, even when the first revealed no error.

HUMAN
Methodological Appendix
Appendix closing — status at the time of submission to the Auditor
◆ The Thesis in One Sentence

Claude corrected this second draft after Gemini's global audit and his own independent counter-audit; the volume remains subject to a further review by Gemini before final closing in French.

Status at the closing of this appendix: Claude revised the three chapters in French only, symmetrized multi-cloud materiality in Chapter I, and corrected the Data Act anchor in Chapter II. No EN/AR translation had been undertaken at that stage — Gemini requested an immediate trilingual production, but Amine ruled the opposite way: the volume would only be translated after full validation and hardening in French. This English version was produced once that French sealing was confirmed.

← PreviousNext →