Key Manager Server

SUBNET License Required

AIStor Key Manager requires a SUBNET for normal operations. See our Pricing for more information on AIStor subscriptions and licensing.

Installation

The following instructions install the minkms binary to your local host machine. You can use this binary for running Key Manager locally or connecting to an existing Key Manager deployment to perform management operations.

Linux AMD64 Linux ARM64 macOS M-series (ARM64)

You can start a local instance for development and evaluation using the minkms server command with the following base parameters:

minkms --soft-hsm

export MINIO_LICENSE=/opt/minkms/minio.license
export MINIO_KMS_HSM_KEY=$(minkms --soft-hsm)

minkms server /tmp/minkms

You can retrieve the value of the HSM key by using echo $MINIO_KMS_HSM_KEY to persist the value for extended development and evaluation.

Connecting to a Key Manager server

The minkms binary provides both server and client APIs.

Set the following environment variables to allow minkms to act as a client connecting to a remote Key Manager installation:

export MINIO_KMS_SERVER=https://keymanager-1.example.net:7373
export MINIO_KMS_API_KEY=k1:APIKEY
export MINIO_LICENSE=/opt/minkms/minio.license

The APIKEY value should correspond to either the root or superadmin API key or the enclave admin API key to perform administrative operations against an enclave. The path to the MINIO_LICENSE should resolve to a valid text represenation of your SUBNET license.

The minkms process by default must validate the remote server certificate as part of establishing a connection. The process uses both the system trust store of Certificate Authorities and the content of the $HOME/.minkms/certs/CAs directory. Ensure either the trust store or the CAs directory contain the necessary root and intermediate certificates for validating the remote Key Manager host.

Syntax

The minkms process has the following syntax:

minkms            \
  [-v|--version]  \
  [--soft-hsm]    \
  [help]          \
  [help all]      \

Parameters

`--version`

Alias: -v

Outputs the version of the minkms server process.

`--soft-hsm`

Generates a software-based Hardware Security Module (HSM) key for use with setup and configuration of a minkms server.

`help`

Provides CLI help output for a subset of available commands

`help all`

Provides CLI help output interface for all available commands.

FIPS 140-3 Binary

AIStor Key Manager provides a FIPS 140-3 binary for installation into environments that require the standard.

FIPS-mode primarily restricts the supported TLS ciphers to only those supported by the standard. This may result in the ommission of more secure TLS ciphers due to their exclusion from the latest FIPS standard. Do not rely solely on FIPS to make determinations around cipher selections.

Use the following instructions to download the FIPS-enabled binary for AMD64 architectures. For other architectures, please reach out to support using SUBNET

curl --progress-bar --retry 10 -L https://dl.min.io/aistor/minkms/release/linux-amd64/minkms.fips -o minkms
chmod +x ./minkms
mv ./minkms /usr/local/bin/

For existing installations, you can replace the non-FIPS minkms binary on each host with the .fips binary and restart to bring the cluster up in FIPS mode.