Store HSM on Key Manager
AIStor Key Manager supports using an independent Key Manager deployment for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).
The independent Key Manager stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.
Prerequisites
- The local or cluster Key Manager deployment for supporting AIStor Object Store Server Side Encryption
- The external Key Manager deployment for storing the HSM.
- Key Manager Operator chart 1.1.2 or later
- Key Manager chart 2.0.2 or later
See the installation instructions for further guidance on deploying AIStor Key Manager. For existing installations, see the upgrade instructions.
Procedure
-
Create an enclave and identity for cluster Key Manager
The cluster Key Manager requires an enclave and identity for storing and retrieving the HSM key on the external Key Manager.
Use the following commands to generate the necessary resources. Change the
aistor-key-manager
to reflect the name or label you want to associate with the cluster Key Manager. Modify the example values to reflect the hostnames, API keys, and resource names of your deployment and infrastructure.export MINIO_KMS_SERVER=https://hsm-cluster.example.net:7373 export MINIO_LICENSE=/opt/minmks/minio.license minkms add-enclave -k -a k1:`root` or superadmin_API_KEY aistor-key-manager minkms add-identity -k -a k1:`root` or superadmin_API_KEY --enclave aistor-key-manager --admin
The command returns the API key and identity for use with the cluster Key Manager. Copy the
k1:
prefixed value for use with the HSM storage configuration. -
Create an encryption key for use with seal/unseal operations
Use the
minkms add-key
command to create a new encryption key for use by the cluster Key Manager:minkms add-key --enclave aistor-key-manager aistor-key-manager-hsm
You must specify the key name in the next step.
-
Modify the values file for the cluster Key Manager
Open the chart values file in your preferred text editor and add the
keymanagerconfiguration.hsm.minio.minkms
section:# keymanager-values.yaml # Other configuration settings above this line keymanager: configuration: hsm: minio: minkms: server: - kms0.hsm-cluster.example.net:7373 - kms1.hsm-cluster.example.net:7373 - kms2.hsm-cluster.example.net:7373 enclave: aistor-key-manager key: aistor-key-manager-hsm auth: key: k1:`root` or superadmin_API_KEY
-
(Optional) Disable the local HSM
You can disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.
To disable the local HSM, comment out or remove the
keymanager.configuration.hsm.key
value from thevalues.yaml
file. -
Update the chart with the new
values.yaml
:Use the
helm upgrade
command to upgrade the chart with the newvalues.yaml
:helm upgrade aistor-keymanager minio/aistor-keymanager \ -n aistor-keymanager \ -f keymanager-values.yaml