> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Key Manager Admin Guide

> Administer Xloud Key Manager — configure secret store backends, manage transport keys, enforce quotas, apply security hardening, and troubleshoot platform.

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Overview</p>

This guide covers platform-level administration of the Xloud Key Manager service.
Administrators configure the backend encryption store, manage transport keys for
client-side encryption, define per-project quotas, and enforce security hardening
policies. The Key Manager service is a critical security component — changes to its
configuration affect secret accessibility across all services that reference it.

<Warning>
  **Administrator Access Required** — This operation requires the `admin` role. Contact your
  Xloud administrator if you do not have sufficient permissions.
</Warning>

<Tabs>
  <Tab title="XDeploy" icon="server">
    The Key Management service is enabled through the XDeploy Configuration panel:

    <Steps titleSize="h3">
      <Step title="Open Configuration" icon="settings">
        Navigate to **XDeploy → Configuration** and select the **Advance Features** tab.
      </Step>

      <Step title="Enable KMS" icon="toggle-left">
        Set **Enable KMS** to **Yes**. This deploys the Key Management service and
        configures integration with all dependent services (Block Storage encryption,
        K8SaaS certificate storage, Load Balancer TLS).
      </Step>

      <Step title="Save and deploy" icon="rocket">
        Click **Save Configuration**, then navigate to **XDeploy → Operations** and
        run a **Deploy** for the Key Management service.

        <Check>Key Management service is deployed and accessible to all platform services.</Check>
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI" icon="terminal">
    Configure the Key Management service by editing `barbican.conf` directly at
    `/etc/xavs/config/barbican/barbican.conf`. See the individual topic guides below
    for backend configuration, secret stores, and security hardening parameters.
  </Tab>
</Tabs>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Topics in This Guide</p>

<CardGroup cols={4}>
  <Card title="Architecture" icon="network" href="/services/key-manager/architecture" color="#197560">
    Key Manager service topology — API, worker, metadata DB, and secret store backends
  </Card>

  <Card title="Backend Configuration" icon="database" href="/services/key-manager/backend-config" color="#197560">
    Configure simple crypto, PKCS#11 HSM, and KMIP secret store backends
  </Card>

  <Card title="Secret Stores" icon="vault" href="/services/key-manager/secret-stores" color="#197560">
    Manage multiple secret store backends and assign stores to projects
  </Card>

  <Card title="Transport Keys" icon="key" href="/services/key-manager/transport-keys" color="#197560">
    View and rotate the RSA transport key for client-side encryption
  </Card>

  <Card title="Quotas" icon="gauge" href="/services/key-manager/quotas" color="#197560">
    Set per-project limits for secrets, containers, orders, and CAs
  </Card>

  <Card title="Security" icon="shield" href="/services/key-manager/security" color="#197560">
    Protect master keys, audit secret access, and enforce network controls
  </Card>

  <Card title="Troubleshooting" icon="wrench" href="/services/key-manager/admin-troubleshooting" color="#197560">
    Diagnose backend failures, pending certificate orders, and ACL issues
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Prerequisites</p>

<Note>
  **Required before proceeding**

  * Administrator credentials sourced via `openrc.sh`
  * Access to XDeploy for service configuration changes
  * Understanding of key management concepts (HSM, PKCS#11, KMIP, symmetric encryption)
</Note>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Next Steps</p>

<CardGroup cols={4}>
  <Card title="Key Manager User Guide" icon="book-open" href="/services/key-manager/user-guide" color="#197560">
    Step-by-step instructions for managing secrets, containers, and ACLs
  </Card>

  <Card title="Load Balancer Admin Guide" icon="shield-check" href="/services/load-balancer/admin-guide" color="#197560">
    Configure TLS termination using Key Manager certificates
  </Card>

  <Card title="Identity" icon="fingerprint" href="/cli-setup" color="#197560">
    Configure service accounts and RBAC policies for Key Manager access
  </Card>

  <Card title="Object Storage Admin Guide" icon="box" href="/services/object-storage/admin-guide" color="#197560">
    Configure server-side encryption using Key Manager-managed keys
  </Card>
</CardGroup>