Store HSM on Hashicorp Vault

AIStor Key Manager supports using Hashicorp Vault for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).

The Vault instance stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.

Prerequisites

The local or cluster Key Manager deployment for supporting AIStor Object Store Server Side Encryption
The Hashicorp Vault deployment for storing the HSM.
Key Manager Operator chart 1.1.2 or later
Key Manager chart 2.0.2 or later

The Hashicorp Vault instance must provide support for the transit engine to support external HSM storage. The transit configuration must allow the following set of permissions:

path "transit/encrypt/minkms-sealing-key" {
   capabilities = [ "update" ]
}
path "transit/decrypt/minkms-sealing-key" {
   capabilities = [ "update" ]
}
path "transit/hmac/minkms-sealing-key" {
   capabilities = [ "update" ]
}

Refer to the Vault documentation for guidance on setup and configuration.

See the installation instructions for further guidance on deploying AIStor Key Manager.

Procedure

Create the necessary tokens for authenticating to Vault

Key Manager supports either the approle or the kubernetes authentication method.

Prepare the following for this procedure:
approle
- A role_id
- The corresponding secret_id
The following optional value may be required depending on your configuration:
- A namespace
kubernetes
- The service account role
- The name or path to a service account JWT
The following optional values may be required depending on your configuration:
- The transit engine namespace
- The auth mount path

Modify the values file for the cluster Key Manager

Open the chart values file in your preferred text editor and add the keymanager.configuration.hsm.hashicorp.vault section:

approle

# keymanager-values.yaml

# Other configuration settings above this line
keymanager:
   configuration:
      hsm:
         vault:
            server: https://vault.example.net:8200
            approle:
               id: UUID # App Role ID
               secret: UUID # App Role Secret
               namespace: ns-1 # Optional namespace for the approle
               path: approle # Optional mount point for the approle
            transit:
               key: aistor-key-manager-hsm
               namespace: ns-1 # Optional namespace for the transit engine
               path: transit # Optional mount point for the transit engine

kubernetes

# keymanager-values.yaml

# Other configuration settings above this line
keymanager:
   configuration:
      hsm:
         vault:
            server: https://vault.example.net:8200
            approle:
               id: UUID # App Role ID
               secret: UUID # App Role Secret
               namespace: ns-1 # Optional namespace for the approle
               path: approle # Optional mount point for the approle
            kubernetes:
               role: aistor-key-manager-role
               jwt: /tmp/kubernetes/jwt
               namespace: ns-3 # Optional namespace for the kubernetes auth
               path: kubernetes # Optional mount point for the kubernetes auth

(Optional) Disable the local HSM

You can disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.

To disable the local HSM, comment out or remove the keymanager.configuration.hsm.key value from the values.yaml file.

Update the chart with the new values.yaml:

Use the helm upgrade command to upgrade the chart with the new values.yaml:

helm upgrade aistor-keymanager minio/aistor-keymanager \
  -n aistor-keymanager \
  -f keymanager-values.yaml