Store HSM on Key Manager
AIStor Key Manager supports using an independent Key Manager deployment for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).
The independent Key Manager stores the HSM such that a user with access to the cluster Key Manager has no immediate access to the plaintext key value. You can enable the external HSM Key Manager at any time after completing the initial installation.
Configuring an external KMS for HSM storage can help meet compliance requirements around keeping Root or Master keys on the same system as the encryption database. The total security of the system however still relies on protections applied to the ‘final’ key in any such KMS chain. Ultimately basic security measures such as root access protection and systems of Least Privilege carry the same weight and importance across all encryption related services.
Prerequisites
This procedure assumes two Key Manager installations:
- The local or cluster Key Manager deployment for supporting AIStor Object Store Server Side Encryption
- The external Key Manager deployment for storing the HSM.
See the installation instructions for further guidance on deploying AIStor Key Manager.
Procedure
-
Create an enclave and identity for cluster Key Manager
The cluster Key Manager requires an enclave and identity for storing and retrieving the HSM key on the external Key Manager.
Use the following commands to generate the necessary resources. Change the
aistor-key-manager
to reflect the name or label you want to associate with the cluster Key Manager. Modify the example values to reflect the hostnames, API keys, and resource names of your deployment and infrastructure.export MINIO_KMS_SERVER=https://hsm-cluster.example.net:7373 export MINIO_LICENSE=/opt/minmks/minio.license minkms add-enclave -k -a k1:`root` or superadmin_API_KEY aistor-key-manager minkms add-identity -k -a k1:`root` or superadmin_API_KEY --enclave aistor-key-manager --admin
The command returns the API key and identity for use with the cluster Key Manager. Copy the
k1:
prefixed value for use with the HSM storage configuration. -
Create an encryption key for use with seal/unseal operations
Use the
minkms add-key
command to create a new encryption key for use by the cluster Key Manager:minkms add-key --enclave aistor-key-manager aistor-key-manager-hsm
You must specify the key name in the next step.
-
Modify the configuration file for the cluster Key Manager
Open the configuration file in your preferred text editor and add the
hsm.minio.minkms
section:version: v1 # Other configuration settings above this line hsm: minio: minkms: server: - kms0.hsm-cluster.example.net:7373 - kms1.hsm-cluster.example.net:7373 - kms2.hsm-cluster.example.net:7373 enclave: aistor-key-manager key: aistor-key-manager-hsm auth: key: k1:`root` or superadmin_API_KEY
Make the same changes to all AIStor Key Manager nodes in the cluster deployment.
-
(Optional) Disable the local HSM
You disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.
Open the Key Manager environment file at
/etc/default/minkms
in your preferred browser. Remove theMINIO_KMS_HSM_KEY
line on all nodes. -
Restart the key manager process
You can then restart all nodes in the deployment using
systemctl restart minkms
. Monitor the system logs usingjournalctl -uf minkms
to ensure successful startup and resumption of internode and client API operations.