Configuration File
The Key Manager supports a YAML-formatted configuration file for specifying startup options and settings.
The file has the following format:
# Config file version
# REQUIRED
#
version: v1
# System admin configuration
# Optional
#
#admin:
# Identity with `root` or superadmin privileges.
# Generate a new identity using `minkms identity`
# Use the corresponding secret `k1:KEY` when authenticating as a client to
# perform operations with this identity
# If you omit this value, MinKMS generates and emits the root credentials
# to the systemlog on startup.
# identity: h1:Rvxa7nj8zkL48CeDkN6LhpX-K7KK6uhIhpBOcTHNhWw
# Interval in which the cluster leader sends heartbeats to all its followers
# OPTIONAL
#
# If 0, a reasonable default is selected automatically. It should be
# at least twice the network latency between any two KMS cluster nodes.
# Reasonable values are between 50ms and 1s for most clusters.
#
# Very low (below 50ms) or high (above 1.5s) values should only be set
# under special circumstances. For example, a stretch cluster spawned
# across geographic regions may demand larger heartbeat intervals due to
# higher network latency.
#
# A too low value may cause sporadic leadership losses similar to a flaky
# or unreliable network. A too high value may cause delayed detection of
# node failures and longer write-quorum recovery after node failures.
# However, it does not affect the strict consistency guarantees or
# correctness of state changes.
#
# The default setting is typically sufficient
#
# heartbeat: 500ms
# TLS configuration
# Required
#
# Key Manager requires TLS for encrypting and protecting all connections.
#
tls:
certs:
# You must specify *at least* one TLS keypair.
#
# You can specify multiple key-cert pairs to MinKMS to cover multiple
# hostnames if necessary.
#
# MinKMS must have read access to the specified paths to start.
#
- key: /etc/minkms/private.key # Path to the server's TLS private key
cert: /etc/minkms/public.crt # Path to the server's TLS certificate
# A folder containing one or more CA root certificates
# MinKMS uses this for validating TLS certificates for a remote system
# This is optional and typically not required during normal installations
# ca: /etc/minkms/CAs
# The API key to use for internode operations.
# Generate this value using `minkms identity`
# internal:h
# key: k2:STRING
# The top-level key for configuring an external Key Management Service (KMS)
# For storing HSM keys.
#
# Each node in the Key Manager deployment can use any HSM provider to seal/unseal
# the cryptographic key database.
#
# Key Manager supports the following HSM providers:
# - Filesystem (`MINIO_KMS_HSM_KEY`)
# - External Key Manager (`hsm.minio.minkms`)
# - Hashicorp Vault (`hsm.hashicorp.vault`)
#
hsm:
minio:
minkms:
server: # List of MinKMS cluster nodes
- 198.51.100.3:7373
- 198.51.100.4:7373
enclave: foo # Enclave containing the seal/unseal key
key: my-key # Name of the seal/unseal key
auth: # API key to authenticate
key: k1:9aU98Z4ajl5j96cf4d6yk0bKx5NXHdXaxiaXY9Qb3QE
hashicorp:
vault:
server: https://198.51.100.3:8200 # Vault cluster endpoint
transit:
namespace: ns-1 # transit engine namespace
path: transit # transit engine mount path
key: my-key # Name of the seal/unseal key
approle: # Authentication to Vault. Mutually exclusive with `kubernetes` auth
namespace: ns-2 # approle auth namespace
path: approle # approle auth mount path
id: 8bd4e2a6-9096-87cb-925e-d08ca4d6e4ce # AppRole role ID
secret: d5be8625-f16f-b322-a64a-0bffeeaef3f8 # AppRole secret ID
kubernetes: #Authentication to Vault. Mutually exclusive with `approle` auth
namespace: ns-3 # kubernetes auth namespace
path: kubernetes # kubernetes auth mount path
role: my-role # Service account role
jwt: /tmp/kubernetes/jwt # Service account JWT or path to JWT.
# A path to a JWT must start with a '/' or './'