Enclave Management

An enclave is an isolated collection of cryptographic keys. This provides a means to separate groups of keys stored in Key Manager, such as all of the keys for a specific AIStor object store cluster. You can create multiple enclaves within a single Key Manager deployment to separate keys for different object stores, applications, or teams.

Enclaves also provide isolation for authentication and access control, where each non-root identity is associated with a specific enclave. Within an enclave, you can create either admin identities with full access to all key and identity operations, or user identities with limited policy-controlled access to operations.

The following diagram provides a visual overview of how Key Manager separates enclaves and their respective resources:

k k e e K y y o E - - b Y 1 2 j S e c t E - n s c t l o a r v e I a u e - D d s d E m e c N i r - T n - 1 I - 1 T 1 A I I E S S t o r K e y M a n a g k k e e e r K y y o E - - b Y 1 2 j S e c t E - n s c t l o a r v e I a u e - D d s d E m e c N i r - T n - 2 I - 1 T 1 I E S

All keys and identities are scoped to a specific enclave. A user authenticating against one enclave cannot access keys or perform other operations within a different enclave. Key Manager does not support sharing keys or identities between enclaves, although you can add the same key to multiple enclaves if necessary.

Only the root user can perform enclave operations, such as creating or deleting enclaves.

Create a new enclave

Use the minkms add enclave command to create a new enclave:

minkms add enclave aistor-object-store-primary --id k1:<ROOT-API-KEY>

Specify the k1:<ROOT-API-KEY> secret key of the root identity. Only the root user can perform enclave operations.

When performing cryptographic key operations, you must specify the enclave to use. For example, the following command adds a new customer managed key (CMK) to the aistor-object-store-primary enclave:

minkms add key data-bucket-encryption-key --enclave aistor-object-store-primary --id k1:<ADMIN-API-KEY>

The --id option specifies the API key of an identity that has write access to the specified enclave, such as an admin identity created using the minkms add-identity command.

Delete an enclave

Deleting an enclave removes all cryptographic keys stored within the enclave. If you don’t have a backup from which to restore the deleted keys, data encrypted with those keys is permanently lost. Use extreme caution when performing this operation.

Use the minkms rm enclave command to delete an existing enclave:

minkms rm enclave aistor-object-store-primary --id k1:<ROOT-API-KEY>

Specify the k1:<ROOT-API-KEY> secret key of the root identity. Only the root user can perform operations that manage an enclave, such as creation or deletion.