Store HSM on Hashicorp Vault
AIStor Key Manager supports using Hashicorp Vault for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).
The Vault instance stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.
Configuring an external KMS for HSM storage can help meet compliance requirements around keeping root or master keys on the same system as the encryption database. The total security of the system however still relies on protections applied to the ‘final’ key in any such KMS chain. Ultimately basic security measures such as root access protection and systems of least privilege carry the same weight and importance across all encryption related services.
Prerequisites
This procedure assumes two Key Manager installations:
- The local or cluster Key Manager deployment
- The Hashicorp Vault deployment acting as HSM.
The Hashicorp Vault instance must provide support for the transit engine to support external HSM storage.
The transit
configuration must allow the following set of permissions:
path "transit/encrypt/minkms-sealing-key" {
capabilities = [ "update" ]
}
path "transit/decrypt/minkms-sealing-key" {
capabilities = [ "update" ]
}
path "transit/hmac/minkms-sealing-key" {
capabilities = [ "update" ]
}
Refer to the Vault documentation for guidance on setup and configuration.
See the installation instructions for further guidance on deploying AIStor Key Manager.
Procedure
-
Create the necessary tokens for authenticating to Vault
Key Manager supports either the
approle
or thekubernetes
authentication method.Prepare the following for this procedure:
-
Modify the configuration file for the cluster Key Manager
Open the configuration file in your preferred text editor and add the
hsm.hashicorp.vault
section:version: v1 # Other configuration settings above this line hsm: vault: server: https://vault.example.net:8200 approle: id: UUID # App Role ID secret: UUID # App Role Secret namespace: ns-1 # Optional namespace for the approle path: approle # Optional mount point for the approle transit: key: aistor-key-manager-hsm namespace: ns-1 # Optional namespace for the transit engine path: transit # Optional mount point for the transit engine
Make the same changes to all AIStor Key Manager nodes in the cluster deployment. You can then restart the nodes using
systemctl restart minkms
. -
(Optional) Disable the local HSM
You disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.
Open the Key Manager environment file at
/etc/default/minkms
in your preferred browser. Remove theMINIO_KMS_HSM_KEY
line on all nodes. -
Restart the key manager process
You can then restart all nodes in the deployment using
systemctl restart minkms
. Monitor the system logs usingjournalctl -uf minkms
to ensure successful startup and resumption of internode and client API operations.