Citadel (c5l) is a simple daemon that implements the Kubernetes Key Management Service (KMS) interface by acquiring a key encryption key (KEK) from an arbitrary command. This makes it easy to plug in your own key management solution as a simple unix command that returns the KEK. When c5l starts, it runs the command you provide it. This command returns the KEK on standard output. If this command fails during startup, c5l will exit. Otherwise, it will use the KEK from the command to encrypt and decrypt input from Kubernetes.