Configuration File

The Key Manager supports a YAML-formatted configuration file for specifying startup options and settings.

The file has the following format:

# Config file version
# REQUIRED
#
version: v1

# System admin configuration
# Optional
#
#admin:
  # Identity with sysadmin privileges.
  # Generate a new identity using `minkms identity`
  # Use the corresponding secret `k1:KEY` when authenticating as a client to
  # perform operations with this identity
  # If you omit this value, MinKMS generates and emits the root credentials
  # to the systemlog on startup.
# identity: h1:Rvxa7nj8zkL48CeDkN6LhpX-K7KK6uhIhpBOcTHNhWw 

# Interval in which the cluster leader sends heartbeats to all its followers
# OPTIONAL
#
# If 0, a reasonable default is selected automatically. It should be
# at least twice the network latency between any two KMS cluster nodes.
# Reasonable values are between 50ms and 1s for most clusters. 
#
# Very low (below 50ms) or high (above 1.5s) values should only be set
# under special circumstances. For example, a stretch cluster spawned
# across geographic regions may demand larger heartbeat intervals due to
# higher network latency.
#
# A too low value may cause sporadic leadership losses similar to a flaky
# or unreliable network. A too high value may cause delayed detection of
# node failures and longer write-quorum recovery after node failures.
# However, it does not affect the strict consistency guarantees or
# correctness of state changes.
#
# The default setting is typically sufficient
# 
# heartbeat: 500ms

# TLS configuration
# Required
#
# Key Manager requires TLS for encrypting and protecting all connections.
# 
tls:
  certs:
  # You must specify *at least* one TLS keypair.
  #
  # You can specify multiple key-cert pairs to MinKMS to cover multiple
  # hostnames if necessary.
  #
  # MinKMS must have read access to the specified paths to start.
  #
  - key:  /etc/minkms/private.key # Path to the server's TLS private key
    cert: /etc/minkms/public.crt  # Path to the server's TLS certificate
  
  # A folder containing one or more CA root certificates
  # MinKMS uses this for validating TLS certificates for a remote system
  # This is optional and typically not required during normal installations  

# ca:   /etc/minkms/CAs
All Rights Reserved 2024-Present, MinIO, Inc.