Store HSM on Hashicorp Vault

AIStor Key Manager supports using Hashicorp Vault for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).

T Y # - - - - T T ` p } p } p } h o # h h ` a a a K e u T T K K e e ` t t t e P h h e e h h c h c h c y V c r e e y y H ` c a a a a a e a t l " p " p " p D u n r l H M M s r t a t a t a a l e o a a a h a r b r b r b t t e q c s n n i n a i a i a i a n u a h a a c s n l n l n l b i a i l i g g o i s i s i s i a n b s c e e r t i t i t i t s s l i o o r r p ` t i t i t i e R D t e t r r / e / e / e e e a e p O c V c e s d s h s a c n t s c p h a o n e m d r c h l V e a u n c = c = a = y e e u a r r l f r r c e p s u a t t i y [ y [ / [ n t s e t l t g p p m c t x e t o 2 i u t " t " i " r D o t r r . n r / u / u n u y B r e d 0 s a m p m p k p p e r K e c . t t i d i d m d t w s n e p h 2 a i n a n a s a e i a y l a n o k t k t - t d t t l o r o c n m e m e s e h h M y t r e s " s " e " R e H a m * - - a o R S n e 1 l m m s ] s ] l ] o o H M a n . a u u e e i t o S g t 1 t s s a a n t M K e . e t t l l g K e r f 2 r * i i - e K s y o p n n k y e u d r o r a g g e y c M e r o l - - y h a p s v l k k " n l t l i o e e A t a o o a d w y y { I h g y r t e " " S a e m i e t t t r e n r s h { { o n g u e r a a t p t t p f K u f h o o e s a o e r l y e n r t l r y H o M s S f w a w t u M o i n D i i p . r n a e t m p g g c h e o t e r r h s r y a a t e e p c f i t t c t n [ e e g t o u P s r r f s l s A a i a c I n p n i t o S s e g n o m t i r t p o t m t e t l r i r x h e e s a t e t O n s n i b g i s R c n j i o i o l g e n n t o u c e s t s t t ] : e t h ( n K e e S h g e r t t i y [ o t n K i r p e e n e s y i : e t S / n M i e / c a a r d r n l v e y a e v p g i r e t e n l i r s S o o t i p n h a d e H a l e r a k s l . s e a E h h y n t n a i o i c s c o r h o i n y i r m ] p c p m ( t o e / i r V d e o p a i n n . u a t c l t e o t e r m p / a r v c i a c s u e e l s / t s a / i d t s o o t c o s t r / h - s e k e e c p y r l - e a m t i a s n n / t a t e g r x e a t r n / s k i i e n t y s ) t v a t a l o l l u a s e t u . i p o p n o / r ) t . e x t e r n a l H S M s t o r a g e .

Refer to the Vault documentation for guidance on setup and configuration.

See the installation instructions for further guidance on deploying AIStor Key Manager.

Procedure

  1. Create the necessary tokens for authenticating to Vault

    Key Manager supports either the approle or the kubernetes authentication method.

    Prepare the following for this procedure:

  2. Modify the values file for the cluster Key Manager

    Open the chart values file in your preferred text editor and add the keymanager.configuration.hsm.hashicorp.vault section:

  3. (Optional) Disable the local HSM

    You can disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.

    To disable the local HSM, comment out or remove the keymanager.configuration.hsm.key value from the values.yaml file.

  4. Update the chart with the new values.yaml:

    Use the helm upgrade command to upgrade the chart with the new values.yaml:

    helm upgrade aistor-keymanager minio/aistor-keymanager \
      -n aistor-keymanager \
      -f keymanager-values.yaml