Install Key Manager on OpenShift

This page documents the installation and management of AIStor Key Manager using MinIO’s Red Hat OpenShift-certified operator. You can alternatively install Key Manager using our Helm charts.

This procedure assumes that the user interacting with the OpenShift cluster has authorization to:

• Install Kubernetes operators and associated resources including CustomResourceDefinitions, Statefulsets, and secrets into new or existing namespaces and
• Perform operations as a user that has broad permissions to create resources within multiple namespaces.

This section installs the OpenShift certified Key Manager operator. You must complete this section before proceeding to deploying the Key Manager.

As an alternative to the procedure below, you can install the Operator using the OpenShift Operator Hub. Search for ‘MinIO’, select the Key Manager operator for installation, then follow the displayed instructions.

1. Download your SUBNET license key

   Log into MinIO SUBNET and access your License Key. From the Deployment view, select License to view the key.

   

   Save the value to a secure location for use in a subsequent step.

2. Create the AIStor Key Manager namespace

   Use the oc command to create a new project for Key Manager:

   oc new-project keymanager-operator
   

3. Create and apply the SUBNET license secret

   Use the following file as a template. Replace the minio.license value with the base64-encoded value of your SUBNET license.

   # license.yaml
   
   apiVersion: v1
   data:  
      minio.license: <base 64 encoded license here>
   kind: Secret
   metadata:  
      name: minio-license 
   type: Opaque
   

   Apply the license to the keymanager-operator namespace:

   oc apply -f license.yaml -n keymanager-operator
   

4. Create the Operator manifest and install to the namespace

   Use the following file as a template for the operator bundle:

   # subscription.yaml
   
   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:  
      name: minio-key-manager-operator
   spec:  
      channel: stable  
      installPlanApproval: Automatic  
      name: minio-key-manager-operator  
      source: certified-operators  
      sourceNamespace: openshift-marketplace  
      startingCSV: minio-key-manager-operator.v2025.5.12190907
   ---
   apiVersion: operators.coreos.com/v1
   kind: OperatorGroup
   metadata:  
      name: key-manager-operator-group
   

   Apply the manifest to the keymanager-operator namespace:

   oc apply -f subscription.yaml -n keymanager-operator
   

5. Next Steps

   You can now deploy a Key Manager resource to your Open Shift cluster using either of the following methods:

   • Deply using Helm Charts
   • Deploy using Operator Hub and the AIStor Key Manager CRD

This procedure documents installation on OpenShift using the Operator Hub UI. You must first install the Key Manager Operator before proceeding.

1. Generate a root encryption key for Key Manager

   Key Manager uses a Root Encryption Key (REK) for encrypting all stored cryptographic data. To generate a key, use the following command:

   docker run quay.io/minio/aistor/minkms:latest --soft-hsm
   

   The output resembles the following:

   hsm:ALGORITHM:<KEYSTRING>
   

   Save the output to a secure location such as a dedicated secrets manager or password vault.

2. Open the OperatorHub UI and navigate to the Key Manager Operator

   Use your preferred browser to access Operator Hub for your OpenShift installation. Select the AIStor Key Manager Operator from the list of installed operators.

3. Create a new Key Manager

   The UI provides a tab for deploying new Key Manager resources. Use either the UI or the YAML editor to construct the Key Manager definition. Reference the AIStor Key Manager CRD for guidance in configuration.

   You can use the following example YAML as a baseline for further customization.

   apiVersion: aistor.min.io/v1alpha1
   kind: KeyManager
   metadata:
   name: my-kms
   namespace: aistor-keymanager
   spec:
   hsmSecret:
      name: my-kms-hsm
   replicas: 3
   imagePullSecrets:
      - name: registry-creds
   volumeClaimTemplate:
      metadata:
         name: key-manager-volume
      spec:
         accessModes:
         - ReadWriteOnce
         resources:
         requests:
            storage: 25Mi
         storageClassName: standard # Replace with an appropriate storage class to meet the requested value
   ---
   apiVersion: v1
   data:
      hsm: <BASE64-encoded HSM>
   kind: Secret
   metadata:
      name: my-kms-hsm
      namespace: aistor-keymanager
   type: Opaque
   

This procedure documents installation on Kubernetes with the AIStor Helm Charts. You must first install the Key Manager Operator before proceeding.

1. Add the AIStor Helm Repository

   helm repo add minio https://helm.min.io/
   

2. Generate a root encryption key for Key Manager

   Key Manager uses a Root Encryption Key (REK) for encrypting all stored cryptographic data. To generate a key, use the following command:

   docker run quay.io/minio/aistor/minkms:latest --soft-hsm
   

   The output resembles the following:

   hsm:ALGORITHM:<KEYSTRING>
   

   Save the output to a secure location such as a dedicated secrets manager or password vault.

3. Deploy the minio/aistor-keymanager chart

   The following command deploys the Key Manager with the name and namespace of aistor-keymanager.

      helm install aistor-keymanager minio/aistor-keymanager \
        -n aistor-keymanager --create-namespace \
        --set "keyManager.hsm.key=hsm:ALGORITHM:<KEYSTRING>"
   

   The command outputs instructions for connecting an AIStor object store to the Key Manager. AIStor can then use Key Manager to enable Server Side Encryption of objects.

   By default, Key Manager deploys with 3 replicas. Each replica requires 25MiB of storage and uses the default storage class on the cluster. For more complete documentation, see Server Side Encryption with AIStor Key Manager.