This page contains a list of the environment variables available for configuring the AIStor Key Encryption Service. MINIO_KMS_KES_ENDPOINT The endpoint for the AIStor Key Encryption Service (KES) process to use for supporting SSE-S3 and MinIO backend encryption operations. By default, KES binds to port 7373 on all network interfaces.

Overview Update the KES binary to a different version. Syntax kes update \ [--arch <string>] \ [--downgrade, -d] \ [--insecure, -k] \ [--minisign-key <key>] \ [--os <string>] \ [--output, -o <path>] \ [<version>] Parameters --arch Download the binary for the specified system architecture.

The following code block includes the full contents of the AIStor Key Manager Helm Chart default values.yaml and all accompanying documentation. # Following annotations/labels are applied to all resources created by the Helm chart annotations: {} labels: {} # Allow to override the namespace for all resources #namespaceOverride: &#34;test&#34; # The Helm chart will try to auto-detect OpenShift. If it cannot detect OpenShift # (i.e. when running helm template), then it will default to false. You can # override this setting to force OpenShift mode. #forceOpenShift: true ### # Root key for AIStor Key Manager keyManager: ### # The Key Manager name # # When the key manager name is not specified, the chart will use the release name # as the key manager name. #name: mykms ### # Specify the container image to use. # ``image.tag`` # For example, the following sets the image to the ``quay.io/minio/aistor/minkms`` repo and the RELEASE.2025-03-24T19-33-06Z tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/aistor/minkms # tag: RELEASE.2025-03-24T19-33-06Z # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: # # .. code-block:: yaml # # image: # repository: quay.io/minio/aistor/minkms@sha256 # digest: 2ebef198955b802aae9fc2b7789d1d3073e9d1d05c8b70d702aeef7d064a9e56 # pullPolicy: IfNotPresent # # image: {} # repository: quay.io/minio/aistor/minkms # tag: RELEASE.2025-03-24T19-33-06Z # pullPolicy: IfNotPresent ### # # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. # Only one array element is supported at this time. imagePullSecret: {} ### # The Kubernetes secret name that contains MinKMS configuration file # The secret is expected to have a key named server-config.yaml that holds the configuration configuration: #name: mykms-server-config existingSecret: false hsm: #name: mykms-secret existingSecret: false # # Generate key using the `minkms --soft-hsm` command # # IMPORTANT: This default value cannot be used and should be replaced key: &#34;hsm:aes256:????????????????????????????????????????????&#34; affinity: nodeAffinity: { } podAffinity: { } podAntiAffinity: { } annotations: { } ### # Configures external certificate settings for the Key Manager. certificates: disableAutoCert: false ### # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair. # # This is used by Key Manager to verify TLS connections from clients using those CAs # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification. # See `ObjectStore CRD: ObjectStoreSpec &lt;https://min.io/docs/aistor/kubernetes/upstream/reference/operator-crd.html#objectStoreSpec&gt;`__. certConfig: {} # commonName: ... # dnsNames: # - &#34;...&#34; # - &#34;...&#34; # organizationName: # - &#34;...&#34; # - &#34;...&#34; ### # externalCaCertSecret Allows KeyManager pods to verify client certificates signed by a Certificate Authority not in the default pod&#39;s trust store. # # If the ObjectStore uses custom or user-controlled TLS certificates, you *must* provide the CA for those certificates here # externalCaCertSecret: # - name: external-ca-secret-name # type: kubernetes.io/tls # - &#34;...&#34; # externalClientCertSecrets is the secret storing the KMS server certificate if `disableAutoCert: true` and want to provide an externally generated TLS certificate. # # You must pass the CA used to sign these certificates to clients like the Object Store to allow for TLS validation during connection. # externalClientCertSecrets: # - name: keymanger-server-secret # type: kubernetes.io/tls # containerSecurityContext: # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # allowPrivilegeEscalation: false # capabilities: # drop: # - ALL # seccompProfile: # type: RuntimeDefault # securityContext: # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # fsGroup: 1000 ### # An array of `Initialization Containers &lt;https://kubernetes.io/docs/concepts/workloads/pods/init-containers/&gt;`__ to initialize the Key Manager pods. # # All initialization containers should be run to completion before the Key Manager pod starts. initContainers: [] # labels: { } # serviceAccountName: &#34;&#34; # nodeSelector: { } ### # The `PodManagement &lt;https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy&gt;`__ policy for Key Manager pods. # Can be &#34;OrderedReady&#34; or &#34;Parallel&#34; podManagementPolicy: Parallel ### # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. # Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ priorityClassName: &#34;&#34; replicas: 3 # resources: { } # runtimeClassName: &#34;&#34; # schedulerName: &#34;&#34; service: {} # annotations: {} # labels: {} # nodePort: 31002 # serviceType: NodePort # type: NodePort # serviceExternalTrafficPolicy: Local ### # The `Kubernetes Service Account &lt;https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/&gt;`__ associated with the Object Store. serviceAccountName: &#34;&#34; sideCars: {} # containers: [] # resources: {} # volumeClaimTemplates: [] # volumes: [] # tolerations: [] # topologySpreadConstraints: {} ### # volumeClaimTemplate is used to create a PersistentVolumeClaim for the Key Manager pods. # The amount of storage requested is specified in the `resources.requests.storage` field # The default value of &#39;25Mib&#39; should meet the requirements of reasonable production workloads. # KeyManager may require more storage in workloads with a large number # of enclaves and master keys. You can use the following formula to # roughly estimate required storage: # ( N_enclaves * 200 ) &#43; ( N_keys * 200 ) &#43; ( 64 * 1024 ) = total number of bytes volumeClaimTemplate: metadata: name: mykms-volume spec: accessModes: - ReadWriteOnce resources: requests: storage: 25Mi extraResources: []

Command deprecated The kes identity ls command has been deprecated as of KES release 2024-06-17T15-47-05Z. Use kes ls instead. Overview List the identities for the KES server. If specified, list only the identities that match the specified pattern.

Volume Manager installation fails in my Kubernetes. Why? You need to have necessary privileges and permissions to perform installation. Go though the specifications documentation. After upgrading Volume Manager to v4.x.x, I do not find direct-csi-min-io storage class. Why? Legacy DirectCSI is deprecated including storage class direct-csi-min-io and it is no longer supported. Previously created volumes continue to work normally. For new volume requests, use the directpv-min-io storage class.

AIStor Key Manager supports installation on Linux and MacOS hosts running AMD64 or ARM64 architectures. This procedure downloads and installs the Key Manager onto a single host machine. You can then expand the cluster with additional nodes to increase availability and resiliency. Procedure Create a Key Manager system user and group

ToDo: Scaffold with Kubernetes and Linux folders + instructions.

API Overview By default, KES requires a valid certificate for any API call. Requests without a certificate fail with a TLS error. You can disable the requirement for a valid certificate when calling some endpoints in the KES configuration file. If any endpoint does not require a certificate, failed calls result in an HTTP error instead of a TLS error.

This page documents the installation and management of AIStor Key Manager using MinIO’s Red Hat OpenShift-certified operator. You can alternatively install Key Manager using our Helm charts. This procedure assumes that the user interacting with the OpenShift cluster has authorization to: Install Kubernetes operators and associated resources including CustomResourceDefinitions, Statefulsets, and secrets into new or existing namespaces and Perform operations as a user that has broad permissions to create resources within multiple namespaces. Install the AIStor Key Manager Operator This section installs the OpenShift certified Key Manager operator. You must complete this section before proceeding to deploying the Key Manager.

Overview The :mc:kes policy commands temporarily create, modify, list, remove, or display policies on the AIStor Key Encryption Service (KES). All changes made by kes policy commands are lost when the KES server restarts. To make persistent changes to KES policies, modify the policy section of the KES configuration file. Specifically, for each policy.policyname to modify, add/remove the identities to/from the policy.policyname.identities array.