curl -sSL -o ./minkms https://dl.min.io/enterprise/minkms/release/linux-amd64/minkms
Make the MinKMS binary executable:
chmod +x ./minkms
export MINIO_LICENSE=<your-license>
./minkms --soft-hsm
╭─────────────────────────────────────────────────────────────────────────────╮
│ │
│ Your software HSM key: │
│ │
│ hsm:aes256:PuKzChdhTmMcYqfbB+CpR7g2aRHbBO7uaMXdqCJmW40= │
│ │
│ This is the only time it is shown. Keep it secret and secure! │
│ │
│ The HSM protects your KMS cluster as unseal mechanism by decrypting the │
│ internal root encryption key ring. │
│ Please store it at a secure location. For example, your password manager. │
│ Without your HSM key you cannot decrypt any data within your KMS cluster. │
│ │
╰─────────────────────────────────────────────────────────────────────────────╯
Set the HSM key and start the server:
export MINIO_KMS_HSM_KEY=hsm:aes256:PuKzChdhTmMcYqfbB+CpR7g2aRHbBO7uaMXdqCJmW40=
./minkms server /tmp/kms0
Version 2024-03-26T17-52-38Z commit=2c97037a83ea6513516208913dd03159a71e80e7
HSM hsm:minio:soft
Cluster ID 1f720088-db10-4e28-8927-3bbad1eff6d8
Node 0: 192.168.188.110:7373 ⚫
Documentation Web: https://min.io/docs/kms/
CLI: $ minkms help
Endpoint https://192.168.188.110:7373
API Key k1:XyTL0XrjcoTYxPbiWQpxA_HOc8PJWhgRU-TGqTRszmI
=> Server is up and running...
By default, a MinKMS cluster uses the TLS certificate in ~/.minkms/certs
. If there is none, the MinKMS server auto.
generates a self-signed certificate. A single-node KMS cluster can be expanded via minkms add
. To do so, setup another
node with the same MINIO_KMS_HSM_KEY
and join both nodes via minkms add
.
For example:
Node 0: https://10.1.2.1:7373
Node 1: https://10.1.2.2:7373
Join Node 0 and Node 1 via:
export MINIO_KMS_SERVER=10.1.2.1:7373
export MINIO_KMS_API_KEY=<your-api-key>
minkms add 10.1.2.2
On success, minkms ls
should list two nodes.