Store HSM on MinIO KMS

MinIO KMS supports using an independent MinIO KMS deployment for storing the Hardware Security Module (HSM) key associated with a Root Encryption Key (REK).

K e y D a t a b a s e R D e e a c d r y e p n t c r D y B p t w e i d t h R o R o o t o t K e K y e y C l u s t e r M i n I O K M S P D l e a c i r n y t p e t x t u s R i o n o g t H K S e M y E x t e r n a l H S M M i n I O K M S

The independent MinIO KMS stores the HSM such that a user with access to the cluster MinIO KMS has no immediate access to the plaintext key value. You can enable the external HSM MinIO KMS at any time after completing the initial installation.

Configuring an external KMS for HSM storage can help meet compliance requirements around keeping Root or Master keys on the same system as the encryption database. The total security of the system relies on protections applied to the final key in any such KMS chain. Ultimately basic security measures such as root access protection and systems of Least Privilege carry the same weight and importance across all encryption related services.

Prerequisites

This procedure assumes two MinIO KMS installations:

  • The local or cluster MinIO KMS deployment for supporting AIStor Object Store Server Side Encryption
  • The external MinIO KMS deployment for storing the HSM.

See the installation instructions for further guidance on deploying MinIO KMS.

Procedure

  1. Create an enclave and identity for cluster MinIO KMS

    The cluster MinIO KMS requires an enclave and identity for storing and retrieving the HSM key on the external MinIO KMS.

    Use the following commands to generate the necessary resources. Change the aistor-key-manager to reflect the name or label you want to associate with the cluster MinIO KMS. Modify the example values to reflect the hostnames, API keys, and resource names of your deployment and infrastructure.

    export MINIO_KMS_SERVER=https://hsm-cluster.example.net:7373

minkms add-enclave -k -a k1:`root` or superadmin_API_KEY aistor-key-manager

minkms add-identity -k -a k1:`root` or superadmin_API_KEY --enclave aistor-key-manager --admin

    Previous versions of MinIO KMS (prior to RELEASE.2025-11-12T19-14-51Z) require the MINIO_LICENSE environment variable to be set before running minkms commands.

    For license configuration instructions for previous versions, see the Legacy License Installation Guide.

    The command returns the API key and identity for use with the cluster MinIO KMS. Copy the k1: prefixed value for use with the HSM storage configuration.

  2. Create an encryption key for use with seal/unseal operations

    Use the minkms add-key command to create a new encryption key for use by the cluster MinIO KMS:

    minkms add-key --enclave aistor-key-manager aistor-key-manager-hsm

    You must specify the key name in the next step.

  3. Modify the configuration file for the cluster MinIO KMS

    Open the configuration file in your preferred text editor and add the hsm.minio.minkms section:

    version: v1

# Other configuration settings above this line

hsm:
  minio:
    minkms:
      server:
      - kms0.hsm-cluster.example.net:7373
      - kms1.hsm-cluster.example.net:7373
      - kms2.hsm-cluster.example.net:7373

      enclave: aistor-key-manager
      key: aistor-key-manager-hsm
      auth:
        key: k1:`root` or superadmin_API_KEY

    Make the same changes to all MinIO KMS nodes in the cluster deployment.

  4. (Optional) Disable the local HSM

    You disable the local HSM used to initialize the cluster MinIO KMS after configuring the external HSM. This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.

    Open the MinIO KMS environment file at /etc/default/minkms in your preferred browser. Remove the MINIO_KMS_HSM_KEY line on all nodes.

  5. Restart the MinIO KMS process

    You can then restart all nodes in the deployment using systemctl restart minkms. Monitor the system logs using journalctl -uf minkms to ensure successful startup and resumption of internode and client API operations.