Install MinIO KMS on Upstream Kubernetes

This section documents steps for installing and managing MinIO Key Management Service (KMS) on Kubernetes infrastructure using a distribution that follows the upstream API and functionality.

This procedure assumes that the user interacting with the Kubernetes cluster has authorization to:

Install Kubernetes operators and associated resources including CustomResourceDefinitions, Statefulsets, and secrets into new or existing namespaces and
Perform operations as a user that has broad permissions to create resources within multiple namespaces.

Deploy MinIO KMS using Helm

This procedure documents installation on Kubernetes with the Helm Charts.

As of release RELEASE.2025-11-12T19-14-51Z, MinIO KMS no longer requires a MinIO Commercial License to operate.

Previous versions (prior to RELEASE.2025-11-12T19-14-51Z) require a MinIO Commercial License configured in the operator chart values. For license configuration instructions for previous versions, see the Legacy License Installation Guide.

Add the AIStor Helm Repository

helm repo add minio https://helm.min.io/

Configure and install the minio/minkms-operator chart

This chart contains the necessary Kubernetes resources for deploying MinIO KMS resources through the minkms chart.

To customize the chart, create a YAML manifest for the chart named minkms-operator-values.yaml. You must at least replace the LICENSE-STRING at global.license with your SUBNET license.
```
license: "LICENSE-STRING"
```
The operator chart supports hierarchical configuration where you can set values globally under global.operator.* that apply to all operators, then override specific values for individual operators under operators.<operator-name>.*. Individual operator settings take precedence over global settings. If you do not specify settings at either the individual or global level, then the operator uses the default settings value in the chart template. See Configuration Precedence for details.
Install the chart to the minkms-operator namespace:
```
helm install minkms-operator minio/minkms-operator \
  -n minkms-operator --create-namespace \
  -f minkms-operator-values.yaml
```
If successful, the command outputs a summary of installed resources.

To validate the installation, run kubectl get all -n minkms-operator and check the status of deployed resources. The chart creates a Deployment, ReplicaSet, Service, and Pod within the namespace.
Generate a root encryption key for MinIO KMS

MinIO KMS uses a Root Encryption Key (REK) for encrypting all stored cryptographic data. To generate a key, use the following command:
```
docker run quay.io/minio/aistor/minkms:latest --soft-hsm
```
The output resembles the following:
```
hsm:ALGORITHM:<KEYSTRING>
```
Save the output to a secure location such as a dedicated secrets manager or password vault.
Deploy the minio/minkms chart

The following command deploys MinIO KMS with the name and namespace of minkms.
```
   helm install minkms minio/minkms \
     -n minkms --create-namespace \
     --set "minkms.hsm.key=hsm:ALGORITHM:<KEYSTRING>"
```
The command outputs instructions for connecting an AIStor object store to MinIO KMS. AIStor can then use MinIO KMS to enable Server Side Encryption of objects.

By default, MinIO KMS deploys with 3 replicas. Each replica requires 25MiB of storage and uses the default storage class on the cluster. For more complete documentation, see Server Side Encryption with MinIO KMS.