Store HSM on Hashicorp Vault
AIStor Key Manager supports using Hashicorp Vault for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).
The Vault instance stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.
Prerequisites
- The local or cluster Key Manager deployment for supporting AIStor Object Store Server Side Encryption
- The Hashicorp Vault deployment for storing the HSM.
- Key Manager Operator chart 1.1.2 or later
- Key Manager chart 2.0.2 or later
The Hashicorp Vault instance must provide support for the transit engine to support external HSM storage.
The transit
configuration must allow the following set of permissions:
path "transit/encrypt/minkms-sealing-key" {
capabilities = [ "update" ]
}
path "transit/decrypt/minkms-sealing-key" {
capabilities = [ "update" ]
}
path "transit/hmac/minkms-sealing-key" {
capabilities = [ "update" ]
}
Refer to the Vault documentation for guidance on setup and configuration.
See the installation instructions for further guidance on deploying AIStor Key Manager.
Procedure
-
Create the necessary tokens for authenticating to Vault
Key Manager supports either the
approle
or thekubernetes
authentication method.Prepare the following for this procedure:
-
Modify the values file for the cluster Key Manager
Open the chart values file in your preferred text editor and add the
keymanager.configuration.hsm.hashicorp.vault
section: -
(Optional) Disable the local HSM
You can disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.
To disable the local HSM, comment out or remove the
keymanager.configuration.hsm.key
value from thevalues.yaml
file. -
Update the chart with the new
values.yaml
:Use the
helm upgrade
command to upgrade the chart with the newvalues.yaml
:helm upgrade aistor-keymanager minio/aistor-keymanager \ -n aistor-keymanager \ -f keymanager-values.yaml