Store HSM on Key Manager

AIStor Key Manager supports using an independent Key Manager deployment for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).

K e y D a t a b a s e R D e e a c d r y e p n t c r D y B p t w e i d t h R o R o o t o t K e K y e y A I S t o r K e y M a n a g e r P D l e a c i r n y t p e t x t u s R i o n o g t H K S e M y E x t e r n a l H S M K e y M a n a g e r

The independent Key Manager stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.

Prerequisites

  • The local or cluster Key Manager deployment for supporting AIStor Object Store Server Side Encryption
  • The external Key Manager deployment for storing the HSM.
  • Key Manager Operator chart 1.1.2 or later
  • Key Manager chart 2.0.2 or later

See the installation instructions for further guidance on deploying AIStor Key Manager. For existing installations, see the upgrade instructions.

Procedure

  1. Create an enclave and identity for cluster Key Manager

    The cluster Key Manager requires an enclave and identity for storing and retrieving the HSM key on the external Key Manager.

    Use the following commands to generate the necessary resources. Change the aistor-key-manager to reflect the name or label you want to associate with the cluster Key Manager. Modify the example values to reflect the hostnames, API keys, and resource names of your deployment and infrastructure.

    
    export MINIO_KMS_SERVER=https://hsm-cluster.example.net:7373
    export MINIO_LICENSE=/opt/minmks/minio.license
    
    minkms add-enclave -k -a k1:`root` or superadmin_API_KEY aistor-key-manager
    
    minkms add-identity -k -a k1:`root` or superadmin_API_KEY --enclave aistor-key-manager --admin
    

    The command returns the API key and identity for use with the cluster Key Manager. Copy the k1: prefixed value for use with the HSM storage configuration.

  2. Create an encryption key for use with seal/unseal operations

    Use the minkms add-key command to create a new encryption key for use by the cluster Key Manager:

    minkms add-key --enclave aistor-key-manager aistor-key-manager-hsm
    

    You must specify the key name in the next step.

  3. Modify the values file for the cluster Key Manager

    Open the chart values file in your preferred text editor and add the keymanagerconfiguration.hsm.minio.minkms section:

    # keymanager-values.yaml
    
    # Other configuration settings above this line
    keymanager:
       configuration:
          hsm:
             minio:
                minkms:
                   server:
                   - kms0.hsm-cluster.example.net:7373
                   - kms1.hsm-cluster.example.net:7373
                   - kms2.hsm-cluster.example.net:7373
                   enclave: aistor-key-manager
                   key: aistor-key-manager-hsm
                   auth:
                     key: k1:`root` or superadmin_API_KEY
    
  4. (Optional) Disable the local HSM

    You can disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.

    To disable the local HSM, comment out or remove the keymanager.configuration.hsm.key value from the values.yaml file.

  5. Update the chart with the new values.yaml:

    Use the helm upgrade command to upgrade the chart with the new values.yaml:

    helm upgrade aistor-keymanager minio/aistor-keymanager \
      -n aistor-keymanager \
      -f keymanager-values.yaml