diff --git a/.circleci/config.yml b/.circleci/config.yml
index 927ef13..d42d576 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,6 +1,29 @@
 version: 2
 
 jobs:
+  kms:
+    docker:
+      - image: circleci/golang:1.12
+    working_directory: ~/offen/kms
+    steps:
+      - checkout:
+          path: ~/offen
+      - restore_cache:
+          key: offen-kms-{{ checksum "go.mod" }}
+      - run:
+          name: Download modules
+          command: go mod download
+      - save_cache:
+          paths:
+            - /go/pkg/mod
+          key: offen-kms-{{ checksum "go.mod" }}
+      - run:
+          name: Generate one-off key file
+          command: make bootstrap
+      - run:
+          name: Run tests
+          command: make test-ci
+
   server:
     docker:
       - image: circleci/golang:1.12
@@ -122,6 +145,7 @@ workflows:
   build_and_test:
     jobs:
       - server
+      - kms
       - vault
       - script
       - auditorium
diff --git a/docker-compose.yml b/docker-compose.yml
index 397c44e..6d7d0e6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,61 +1,81 @@
-server:
-  image: golang:1.12
-  working_dir: /server
-  volumes:
-    - ./server:/server
-    - ./local.offen.dev.pem:/server/local.offen.dev.pem
-    - ./local.offen.dev-key.pem:/server/local.offen.dev-key.pem
-    - $GOPATH/pkg/mod:/go/pkg/mod
-  environment:
-    - GOPATH=/go
-    - POSTGRES_CONNECTION_STRING=postgres://postgres:develop@database:5432/postgres?sslmode=disable
-  ports:
-    - 8080:8080
-  command: go run cmd/server/main.go -origin https://local.offen.dev:9977 -conn postgres://postgres:develop@database:5432/postgres?sslmode=disable -key local.offen.dev-key.pem -cert local.offen.dev.pem
-  links:
-    - database
+version: '3'
 
-database:
-  image: postgres:11.2
-  environment:
-    - POSTGRES_PASSWORD=develop
+services:
+  kms:
+    image: golang:1.12
+    working_dir: /kms
+    volumes:
+      - ./kms:/kms
+      - ./local.offen.dev.pem:/kms/local.offen.dev.pem
+      - ./local.offen.dev-key.pem:/kms/local.offen.dev-key.pem
+      - $GOPATH/pkg/mod:/go/pkg/mod
+    environment:
+      - GOPATH=/go
+    ports:
+      - 8081:8081
+    command: go run cmd/kms/main.go -port 8081
 
-vault:
-  image: timbru31/node-chrome:slim
-  working_dir: /offen/vault
-  volumes:
-    - .:/offen
-    - ./local.offen.dev.pem:/offen/vault/local.offen.dev.pem
-    - ./local.offen.dev-key.pem:/offen/vault/local.offen.dev-key.pem
-  command: npm start -- --port 9977
-  ports:
-    - 9977:9977
-  environment:
-    - SERVER_HOST=https://local.offen.dev:8080
-    - AUDITORIUM_HOST=https://local.offen.dev:9955
+  server:
+    image: golang:1.12
+    working_dir: /server
+    volumes:
+      - ./server:/server
+      - ./local.offen.dev.pem:/server/local.offen.dev.pem
+      - ./local.offen.dev-key.pem:/server/local.offen.dev-key.pem
+      - $GOPATH/pkg/mod:/go/pkg/mod
+    environment:
+      - GOPATH=/go
+      - POSTGRES_CONNECTION_STRING=postgres://postgres:develop@database:5432/postgres?sslmode=disable
+      - KMS_ENCRYPTION_ENDPOINT=http://kms:8081/encrypt
+    ports:
+      - 8080:8080
+    command: go run cmd/server/main.go -origin https://local.offen.dev:9977 -conn postgres://postgres:develop@database:5432/postgres?sslmode=disable -key local.offen.dev-key.pem -cert local.offen.dev.pem -level debug
+    links:
+      - database
+    depends_on:
+      - kms
 
-script:
-  image: timbru31/node-chrome:slim
-  working_dir: /offen/script
-  volumes:
-    - .:/offen
-    - ./local.offen.dev.pem:/offen/script/local.offen.dev.pem
-    - ./local.offen.dev-key.pem:/offen/script/local.offen.dev-key.pem
-  command: npm start -- --port 9966
-  ports:
-    - 9966:9966
-  environment:
-    - VAULT_HOST=https://local.offen.dev:9977
+  database:
+    image: postgres:11.2
+    environment:
+      - POSTGRES_PASSWORD=develop
 
-auditorium:
-  image: timbru31/node-chrome:slim
-  working_dir: /offen/auditorium
-  volumes:
-    - .:/offen
-    - ./local.offen.dev.pem:/offen/auditorium/local.offen.dev.pem
-    - ./local.offen.dev-key.pem:/offen/auditorium/local.offen.dev-key.pem
-  command: npm start -- --port 9955
-  ports:
-    - 9955:9955
-  environment:
-    - VAULT_HOST=https://local.offen.dev:9977
+  vault:
+    image: timbru31/node-chrome:slim
+    working_dir: /offen/vault
+    volumes:
+      - .:/offen
+      - ./local.offen.dev.pem:/offen/vault/local.offen.dev.pem
+      - ./local.offen.dev-key.pem:/offen/vault/local.offen.dev-key.pem
+    command: npm start -- --port 9977
+    ports:
+      - 9977:9977
+    environment:
+      - SERVER_HOST=https://local.offen.dev:8080
+      - AUDITORIUM_HOST=https://local.offen.dev:9955
+
+  script:
+    image: timbru31/node-chrome:slim
+    working_dir: /offen/script
+    volumes:
+      - .:/offen
+      - ./local.offen.dev.pem:/offen/script/local.offen.dev.pem
+      - ./local.offen.dev-key.pem:/offen/script/local.offen.dev-key.pem
+    command: npm start -- --port 9966
+    ports:
+      - 9966:9966
+    environment:
+      - VAULT_HOST=https://local.offen.dev:9977
+
+  auditorium:
+    image: timbru31/node-chrome:slim
+    working_dir: /offen/auditorium
+    volumes:
+      - .:/offen
+      - ./local.offen.dev.pem:/offen/auditorium/local.offen.dev.pem
+      - ./local.offen.dev-key.pem:/offen/auditorium/local.offen.dev-key.pem
+    command: npm start -- --port 9955
+    ports:
+      - 9955:9955
+    environment:
+      - VAULT_HOST=https://local.offen.dev:9977