Overview
This guide covers platform-level administration of the Xloud Key Manager service. Administrators configure the backend encryption store, manage transport keys for client-side encryption, define per-project quotas, and enforce security hardening policies. The Key Manager service is a critical security component — changes to its configuration affect secret accessibility across all services that reference it.- XDeploy
- CLI
The Key Management service is enabled through the XDeploy Configuration panel:
Enable KMS
Set Enable KMS to Yes. This deploys the Key Management service and
configures integration with all dependent services (Block Storage encryption,
K8SaaS certificate storage, Load Balancer TLS).
Topics in This Guide
Architecture
Key Manager service topology — API, worker, metadata DB, and secret store backends
Backend Configuration
Configure simple crypto, PKCS#11 HSM, and KMIP secret store backends
Secret Stores
Manage multiple secret store backends and assign stores to projects
Transport Keys
View and rotate the RSA transport key for client-side encryption
Quotas
Set per-project limits for secrets, containers, orders, and CAs
Security
Protect master keys, audit secret access, and enforce network controls
Troubleshooting
Diagnose backend failures, pending certificate orders, and ACL issues
Prerequisites
Required before proceeding
- Administrator credentials sourced via
admin-openrc.sh - Access to XDeploy for service configuration changes
- Understanding of key management concepts (HSM, PKCS#11, KMIP, symmetric encryption)
Next Steps
Key Manager User Guide
Step-by-step instructions for managing secrets, containers, and ACLs
Load Balancer Admin Guide
Configure TLS termination using Key Manager certificates
Identity
Configure service accounts and RBAC policies for Key Manager access
Object Storage Admin Guide
Configure server-side encryption using Key Manager-managed keys