Store HSM on Key Manager

AIStor Key Manager supports using an independent Key Manager deployment for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).

K e y D a t a b a s e R D e e a c d r y e p n t c r D y B p t w e i d t h R o R o o t o t K e K y e y C l u s t e r K e y M a n a g e r P D l e a c i r n y t p e t x t u s R i o n o g t H K S e M y E x t e r n a l H S M K e y M a n a g e r

The independent Key Manager stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.

Configuring an external KMS for HSM storage can help meet compliance requirements around keeping Root or Master keys on the same system as the encryption database. The total security of the system however still relies on protections applied to the ‘final’ key in any such KMS chain. Ultimately basic security measures such as root access protection and systems of Least Privilege carry the same weight and importance across all encryption related services.

Prerequisites

This procedure assumes two Key Manager installations:

  • The local or cluster Key Manager deployment for supporting AIStor Object Store Server Side Encryption
  • The external Key Manager deployment for storing the HSM.

See the installation instructions for further guidance on deploying AIStor Key Manager.

Procedure

  1. Create an enclave and identity for cluster Key Manager

    The cluster Key Manager requires an enclave and identity for storing and retrieving the HSM key on the external Key Manager.

    Use the following commands to generate the necessary resources. Change the aistor-key-manager to reflect the name or label you want to associate with the cluster Key Manager. Modify the example values to reflect the hostnames, API keys, and resource names of your deployment and infrastructure.

    
export MINIO_KMS_SERVER=https://hsm-cluster.example.net:7373
export MINIO_LICENSE=/opt/minmks/minio.license

minkms add-enclave -k -a k1:`root` or superadmin_API_KEY aistor-key-manager

minkms add-identity -k -a k1:`root` or superadmin_API_KEY --enclave aistor-key-manager --admin

    The command returns the API key and identity for use with the cluster Key Manager. Copy the k1: prefixed value for use with the HSM storage configuration.

  2. Create an encryption key for use with seal/unseal operations

    Use the minkms add-key command to create a new encryption key for use by the cluster Key Manager:

    minkms add-key --enclave aistor-key-manager aistor-key-manager-hsm

    You must specify the key name in the next step.

  3. Modify the configuration file for the cluster Key Manager

    Open the configuration file in your preferred text editor and add the hsm.minio.minkms section:

    version: v1

# Other configuration settings above this line

hsm:
  minio:
    minkms:
      server:
      - kms0.hsm-cluster.example.net:7373
      - kms1.hsm-cluster.example.net:7373
      - kms2.hsm-cluster.example.net:7373

      enclave: aistor-key-manager
      key: aistor-key-manager-hsm
      auth:
        key: k1:`root` or superadmin_API_KEY

    Make the same changes to all AIStor Key Manager nodes in the cluster deployment.

  4. (Optional) Disable the local HSM

    You disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.

    Open the Key Manager environment file at /etc/default/minkms in your preferred browser. Remove the MINIO_KMS_HSM_KEY line on all nodes.

  5. Restart the key manager process

    You can then restart all nodes in the deployment using systemctl restart minkms. Monitor the system logs using journalctl -uf minkms to ensure successful startup and resumption of internode and client API operations.