Installation
AIStor Key Manager supports installation on to Linux and Kubernetes infrastructures.
Hardware and host configuration
The following table lists the minimum requirements for a Key Manager server
| CPU | Single-Socket Server-grade CPU with support for AES-NI instruction sets. |
| Memory | 8GiB available |
| Storage | 10GiB SSD or NVMe |
| Network | 10GbE low-latency interface |
Security standards typically discourage storing encryption keys on the same hosts as the encrypted data. As such, consider deploying Key Manager onto physical or virtual hosts that are fully separated or independent from the AIStor Object Store clusters they support.
Key Manager Requires TLS Encryption
Key Manager requires using TLS for all connections to ensure complete security of transmitted cryptographic data. For production environments, generate certificates signed by a trusted or managed Certificate Authority. If the CA is internal, private, or otherwise not typically included in a Global Trust List, the full chain of CA certificates must be available for facilitating TLS validation.
In Linux deployments, defer to your organization’s procedures for minting TLS certificates.
In Kubernetes deployments, the Key Manager Operator can automatically provision certificates using the Kubernetes TLS API. Other applications within Kubernetes can connect and trust the Key Manager through the Kubernetes cluster Certificate Authority.
The following table provides recommendations for TLS keys used by Key Manager:
| Recommendation | |
|---|---|
| TLS Version | 1.3 |
| TLS cipher suite | AES-128-GCM_SHA2-256 or CHACHA20-POLY1305_SHA2-256 |
| X.509 public key | ECDSA P-256 or Ed25519 |
| X.509 signature hash | SHA2-256 |
Supported TLS Ciphers
TLS 1.3 Ciphers
Key Manager supports the following TLS ciphers for TLS 1.3 and 1.2:
TLS_CHACHA20_POLY1305_SHA256TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384
Key Manager in FIPS-mode only supports the AES ciphers.
TLS 1.2 Ciphers
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Key Manager in FIPS-mode only supports the AES ciphers.
Supported X.509 certificate public keys
Key Manager supports the following public key signature algorithms:
RSA-2048up toRSA-4096,OAEPandPSSECDSAwithP-256,P-384andP-521EdDSA/Ed25519
Key Manager in FIPS-mode does not support EdDSA/Ed25519 algorithms.
Supported x.509 signature hash functions
Key Manager supports the following signature hash functions:
SHA2-256SHA2-384SHA2-512