Core Concepts
AIStor Key Manager is a robust key management server designed to securely store cryptographic keys and other sensitive data. Key Manager provides similar functionality to third-party Key Management Services (KMS), such as an HTTP API for en/decrypting operations, scalable design, high availability, high performance, and low latency.
Architecture
A Key Manager cluster consists of at least one server or host. Each node in the cluster consists of a full replica that can service read and write operations.
In production environments, a cluster has at least three hosts with no enforced upper limit on additional cluster nodes. Adding new nodes increases overall availability of cryptographic data while increasing the available hosts for servicing encryption-related requests.
Clusters enforce strictly consistent and linearizable behavior for all state changes. Any one node in the cluster can perform read operations such as en/decryption or derivation of cryptographic keys from existing data encryption keys. Write operations, such as the creation of new data encryption keys, require complete consensus from all nodes in the cluster. The availability of Key Manager is summarized as follows:
- Read Quorum -
1ofnnodes - Write Quorum -
nofnnodes
Scalability
Each new Key Manager node provides a full copy of all data keys and configurations stored on the cluster.
Adding a new node to the cluster requires joining the new host using the minkms add command.
Only the SysAdmin user has the necessary permissions to add or remove nodes from the cluster.
Once expanded, update any load balancers, reverse proxies, or other network control components to include the new host as part of the configuration. Clients can then transparently benefit from the increased handling of cryptographic read/write operations.
Security
Key Manager uses a software-defined Hardware Security Module (HSM) key to do the following:
«««< HEAD Key Manager supports using several HSM keys on multiple providers to provide additional availability in the event of key loss. Specifically, Key Manager supports storing the HSM key on any or all of:
- Establishing internode trust and access
- Sealing/unsealing data stored on disk
ee3a1a1 (CR fixups)
All Key Manager nodes in the cluster must use the same HSM. Removing the HSM from the Key Manager configuration prevents unsealing and access to all stored data on process restart. If the HSM has no backup, that data is rendered permanently unreadable.
Key Manager supports using several HSM on multiple providers for provide additional availability in the event of key loss. Specifically, Key Manager supports storing the HSM:
- Environment Variable (on-disk)
- Additional dedicated AIStor Key Manager
- Hashicorp Vault
Cryptographic Secure Erasure and Locking
Key Manager uses a chain of cryptographic keys as part of encryption operations. The Key Manager administrator has control over the following portions of that chain in decreasing scope of impact:
| The Hardware Security Module (HSM) key | The HSM controls seal/unseal operations on all data stored on disk. Removal renders all data encrypted using the Key Manager deployment as unreadable. |
| An enclave | An enclave stores related CMKs in a single namespace. Removal renders all data encrypted by those CMKs as permanently unreadable. |
| A Customer Master Key (CMK) | A single CMK may control en/decryption for several buckets or objects. removal renders all data encrypted using the key as permanently unreadable. |
Exercise extreme caution before disabling or removing any of these resources.