Overview
The Key Manager service is a critical security component — it stores the credentials that protect all other services. A compromise of the Key Manager backend could expose secrets used across your entire platform. This guide covers the key hardening areas.Hardening Guidelines
Protect the master encryption key
Protect the master encryption key
The
simple_crypto backend encrypts secrets using a master key. This key must be
treated as the most sensitive credential in your platform:- Store master key files with
0400permissions, owned by the Key Manager service user - Back up the master key to offline, encrypted media stored in a physically secure location
- Never include the master key in container images, version control, or backup snapshots
- Rotate the master key annually — plan a maintenance window for the re-encryption operation
Verify master key file permissions
HSM access control
HSM access control
For PKCS#11 deployments:
- Assign a dedicated HSM partition exclusively to Key Manager — never share partitions with other applications
- Use separate HSM credentials for Key Manager vs. HSM administration tasks
- Enable HSM audit logging and forward logs to your SIEM
- Test HSM failover procedures quarterly — Key Manager unavailability during HSM outage blocks secret retrieval across all dependent services
- Restrict physical HSM access to authorized datacenter staff only
Audit secret access
Audit secret access
All Key Manager API requests are logged. Forward logs to your centralized logging
platform for:
- Secret creation and deletion events
- ACL modifications — track when access is granted or revoked
- Secret retrieval (
GET /v1/secrets/<id>/payload) — every access by every caller - Failed access attempts — potential indicators of unauthorized access attempts
Secret expiration policy
Secret expiration policy
Enforce expiration on time-sensitive secrets:
- Set expiration dates on all API tokens and temporary credentials
- TLS certificates: track expiration in an external calendar — Key Manager does not send expiration alerts
- Implement rotation workflows: create a new secret, update all references, then delete the old secret
- Review and purge secrets without expiration dates quarterly — accumulation of orphaned secrets increases the blast radius of a breach
Restrict API network access
Restrict API network access
The Key Manager API should not be exposed on public networks:
- Bind the API to the internal management network only
- Configure firewall rules limiting port 9311 access to authorized service hosts
- Use HAProxy frontend ACLs to restrict source IPs if Key Manager is behind a load balancer
- Enable HTTPS on the Key Manager API endpoint — never transmit secrets over plain HTTP
- Disable direct external access — all API calls should originate from within the platform
Security Checklist
| Control | Frequency | Notes |
|---|---|---|
| Master key file permissions | At deployment | 0400, owned by service user |
| Master key offline backup | At rotation | Encrypted media, physically secured |
| Master key rotation | Annually | Plan maintenance window |
| HSM partition isolation | At setup | Dedicated partition per service |
| Audit log forwarding | Continuous | SIEM integration |
| Orphaned secret review | Quarterly | Purge secrets without expiration |
| Network access controls | At deployment | Firewall rules on port 9311 |
| HTTPS on API endpoint | Always | TLS termination at HAProxy |
Next Steps
Backend Configuration
Configure HSM and KMIP backends for production deployments
Quotas
Set per-project limits to control resource consumption
Admin Troubleshooting
Diagnose security-related Key Manager service issues
DNS Security
Secure DNSSEC keys stored in Key Manager