Install Key Manager on Upstream Kubernetes

This section documents steps for installing and managing AIStor Key Manager on Kubernetes infrastructure using a distribution that follows the upstream API and functionality.

This procedure assumes that the user interacting with the Kubernetes cluster has authorization to:

Install Kubernetes operators and associated resources including CustomResourceDefinitions, Statefulsets, and secrets into new or existing namespaces and
Perform operations as a user that has broad permissions to create resources within multiple namespaces.

Deploy AIStor Key Manager using Helm

This procedure documents installation on Kubernetes with the AIStor Helm Charts.

As of release RELEASE.2025-11-12T19-14-51Z, AIStor Key Manager no longer requires a MinIO Commercial License to operate.

Previous versions (prior to RELEASE.2025-11-12T19-14-51Z) require a MinIO Commercial License configured in the operator chart values. For license configuration instructions for previous versions, see the Legacy License Installation Guide.

Add the AIStor Helm Repository

helm repo add minio https://helm.min.io/

Install the minio/aistor-keymanager-operator chart

This chart contains the necessary Kubernetes resources for deploying AIStor Key Manager resources through the aistor-keymanager chart.

The operator chart supports hierarchical configuration where you can set values globally under global.operator.* that apply to all operators, then override specific values for individual operators under operators.<operator-name>.*. Individual operator settings take precedence over global settings. If you do not specify settings at either the individual or global level, then the operator uses the default settings value in the chart template. See Configuration Precedence for details.
Install the chart to the keymanager-operator namespace:
```
helm install keymanager-operator minio/aistor-keymanager-operator \
  -n keymanager-operator --create-namespace
```
If successful, the command outputs a summary of installed resources.

To validate the installation, run kubectl get all -n keymanager-operator and check the status of deployed resources. The chart creates a Deployment, ReplicaSet, Service, and Pod within the namespace.
Generate a root encryption key for Key Manager

Key Manager uses a Root Encryption Key (REK) for encrypting all stored cryptographic data. To generate a key, use the following command:
```
docker run quay.io/minio/aistor/minkms:latest --soft-hsm
```
The output resembles the following:
```
hsm:ALGORITHM:<KEYSTRING>
```
Save the output to a secure location such as a dedicated secrets manager or password vault.
Deploy the minio/aistor-keymanager chart

The following command deploys the Key Manager with the name and namespace of aistor-keymanager.
```
   helm install aistor-keymanager minio/aistor-keymanager \
     -n aistor-keymanager --create-namespace \
     --set "keyManager.hsm.key=hsm:ALGORITHM:<KEYSTRING>"
```
The command outputs instructions for connecting an AIStor object store to the Key Manager. AIStor can then use Key Manager to enable Server Side Encryption of objects.

By default, Key Manager deploys with 3 replicas. Each replica requires 25MiB of storage and uses the default storage class on the cluster. For more complete documentation, see Server Side Encryption with AIStor Key Manager.