This is an automated email from the ASF dual-hosted git repository.
harikrishna-patnala pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new a099b8fa Feature: Key Management Service (KMS) (#634)
a099b8fa is described below
commit a099b8fa3cc42cd610c4ebf3e77254f59a916f6b
Author: Vishesh <[email protected]>
AuthorDate: Tue Jun 30 10:10:58 2026 +0530
Feature: Key Management Service (KMS) (#634)
---
source/_static/images/kms-add-hsm-profile.png | Bin 0 -> 73581 bytes
source/_static/images/kms-architecture.png | Bin 0 -> 46983 bytes
source/_static/images/kms-create-key.png | Bin 0 -> 62887 bytes
source/_static/images/kms-rotate-key.png | Bin 0 -> 22476 bytes
source/adminguide/index.rst | 2 +-
source/adminguide/kms.rst | 215 ++++++++++++++++++++++++++
source/adminguide/storage.rst | 22 ++-
7 files changed, 237 insertions(+), 2 deletions(-)
diff --git a/source/_static/images/kms-add-hsm-profile.png
b/source/_static/images/kms-add-hsm-profile.png
new file mode 100644
index 00000000..dfe4dcfb
Binary files /dev/null and b/source/_static/images/kms-add-hsm-profile.png
differ
diff --git a/source/_static/images/kms-architecture.png
b/source/_static/images/kms-architecture.png
new file mode 100644
index 00000000..683adbc7
Binary files /dev/null and b/source/_static/images/kms-architecture.png differ
diff --git a/source/_static/images/kms-create-key.png
b/source/_static/images/kms-create-key.png
new file mode 100644
index 00000000..5849a098
Binary files /dev/null and b/source/_static/images/kms-create-key.png differ
diff --git a/source/_static/images/kms-rotate-key.png
b/source/_static/images/kms-rotate-key.png
new file mode 100644
index 00000000..a7bbf002
Binary files /dev/null and b/source/_static/images/kms-rotate-key.png differ
diff --git a/source/adminguide/index.rst b/source/adminguide/index.rst
index 040ad1cd..5fcb05f0 100644
--- a/source/adminguide/index.rst
+++ b/source/adminguide/index.rst
@@ -160,7 +160,7 @@ Managing the Cloud
:maxdepth: 4
management
-
+ kms
System Reliability and Availability
-----------------------------------
diff --git a/source/adminguide/kms.rst b/source/adminguide/kms.rst
new file mode 100644
index 00000000..1e0f7d61
--- /dev/null
+++ b/source/adminguide/kms.rst
@@ -0,0 +1,215 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+.. _key-management-system:
+
+Key Management System (KMS)
+============================
+
+Introduced in Apache CloudStack 4.23, the Key Management System (KMS) lets you
encrypt
+storage volumes using keys stored in a hardware security module (HSM).
+Previously, volume passphrases were encrypted with a single key stored in the
+database. If no KMS key is provided, CloudStack falls back to this legacy
behavior.
+
+.. _kms-architecture:
+
+Architecture and Design
+-----------------------
+
+KMS is built around a two-tier key hierarchy to protect data at rest:
+
+- **KEK (Key Encryption Key)** — The master key that never leaves the secure
backend. KEKs
+ are stored in and managed by the configured KMS provider.
+- **DEK (Data Encryption Key)** — The key that encrypts the actual data (e.g.,
Volumes).
+ DEKs are stored wrapped by the KEK and are only decrypted in memory when
needed.
+
+.. image:: /_static/images/kms-architecture.png
+ :align: center
+ :alt: KMS architecture diagram showing providers, KEK, DEK, and Volume Data
layers
+
+
+Pluggable Provider Framework
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The KMS architecture is designed to be extensible. CloudStack currently ships
two providers:
+
+- **Database Provider** — A built-in fallback provider that stores
+ wrapped keys in the CloudStack database. Suitable for environments without
dedicated HSM
+ hardware.
+- **PKCS#11 HSM Provider** — Integrates with dedicated Hardware
+ Security Module devices via the PKCS#11 standard allowing integration with
+ various HSM providers.
+
+HSM Profiles
+^^^^^^^^^^^^
+Each KMS Key is stored in a Hardware Security Module. The root admin registers
+**HSM Profiles** that capture the connection configuration for a specific HSM
device
+(e.g., PKCS#11 library path, slot, PIN). Sensitive fields such as
+PINs and passwords are automatically encrypted at rest and masked in responses.
+
+.. note::
+ HSM Profiles can be created only by root administrators and can be scoped to
a zone,
+ account, or can be made global (available to all zones).
+
+.. _kms-hsm-profiles:
+
+Managing HSM Profiles
+---------------------
+
+Before creating a KMS key, an administrator must register an HSM
+Profile.
+
+Adding an HSM Profile
+^^^^^^^^^^^^^^^^^^^^^
+
+#. Log in to the CloudStack UI as a root administrator.
+
+#. In the left navigation bar, click **HSM Profile** under **Key Management**.
+
+#. Click on **Add HSM Profile +**.
+
+#. Provide the following details:
+
+ - **Name** — A unique name for the profile.
+ - **Zone** — The zone this profile is scoped to. Leave blank to make it
available to all zones.
+ - **Vendor Name** — The HSM device vendor.
+ - **System** — Check this to make the profile globally available. Uncheck
to scope it to an account or zone.
+ - **Details** — Protocol-specific key-value pairs such as ``library``,
``slot``, and
+ ``pin`` for PKCS#11.
+
+ .. image:: /_static/images/kms-add-hsm-profile.png
+ :align: center
+ :alt: Add HSM Profile dialog
+
+#. Click **OK**.
+
+
+.. note::
+ If access to the HSM is lost, CloudStack will be unable to access
+ volumes encrypted with the keys managed by this HSM profile and the
+ volumes will be inaccessible.
+
+.. note::
+ Sensitive fields (PINs, passwords) are automatically masked in the UI and
API responses
+ after the profile is created.
+
+.. note::
+ The operator has to ensure that the required HSM libraries are installed on
+ all the management servers and depending on the HSM provider, there might be
+ some additional configuration required on each of the management servers.
+
+.. _kms-key-lifecycle:
+
+Managing KMS Keys
+-----------------
+
+KMS Keys (Key Encryption Keys / KEKs) are **zone-scoped**: a key created in
one zone
+cannot be used in another. Keys can be created by users and administrators.
+
+Creating a KMS Key
+^^^^^^^^^^^^^^^^^^
+
+#. Log in to the CloudStack UI.
+
+#. In the left navigation bar, click **KMS Keys** under **Key Management**.
+
+#. Click **Create KMS Key +**.
+
+#. Provide the following details:
+
+ - **Name** — A name for the key.
+ - **Description** — An optional description.
+ - **Zone** — The zone in which the key will be valid.
+ - **HSM Profile** — The HSM profile to use as the backend for this key.
+ - **Key Size** — Bits for the KEK: ``128``, ``192``, or ``256`` (default).
+
+ .. image:: /_static/images/kms-create-key.png
+ :align: center
+ :alt: Create KMS Key dialog
+
+#. Click **OK**. The key is created in the specified HSM and becomes available
for
+ encrypting volumes in the selected zone.
+
+.. _kms-key-rotation:
+
+Rotating a KMS Key
+^^^^^^^^^^^^^^^^^^
+
+Key rotation generates a new version of the KEK and automatically schedules
background
+re-encryption of all DEKs protected by the old version. This is an
asynchronous operation.
+
+
+#. In the left navigation bar, click **KMS Keys** under **Key Management**.
+
+#. Open the Details page for the key you want to rotate.
+
+#. Click the **Rotate KMS Key** button.
+
+ .. image:: /_static/images/kms-rotate-key.png
+ :align: center
+ :alt: Rotate Key option in KMS Keys list
+
+#. Confirm the rotation. A background job is created that progressively
rewraps all DEKs
+ to the new KEK version without ever exposing the plaintext DEKs.
+
+.. note::
+ The rewrapping job runs in batches. The ``kms.rewrap.batch.size`` and
+ ``kms.rewrap.interval.ms`` settings control how quickly DEKs are
re-encrypted
+ after rotation (see :ref:`kms-configuration`).
+
+.. _kms-volume-migration:
+
+Migrating Existing Volumes to KMS
+----------------------------------
+
+Existing volumes that use older passphrase-based encryption can be migrated to
KMS-managed
+envelope encryption without data loss. This is an administrator-only operation
and is
+performed using the ``migrateVolumesToKMS`` API. The migration runs as an
asynchronous
+background job.
+
+.. note::
+ Migrated volumes will be re-encrypted under the KMS envelope encryption
model, removing
+ the dependency on a static passphrase. Scope the migration by zone,
account, or domain,
+ or provide specific volume IDs for selective migration.
+
+For full API parameter details, see the
+`CloudStack API Reference <https://cloudstack.apache.org/api/>`_.
+
+.. _kms-configuration:
+
+KMS Configuration Settings
+--------------------------
+
+The following global configuration settings are available to tune KMS
behaviour. They can
+be found under **Global Settings** in the CloudStack UI.
+
+.. cssclass:: table-striped table-bordered table-hover
+
+=============================== =============
=================================================
+Configuration Default Description
+=============================== =============
=================================================
+``kms.dek.size.bits`` ``256`` Size of generated DEKs in bits.
Valid values
+ are ``128``, ``192``, and
``256``.
+``kms.retry.count`` ``3`` Number of retry attempts on
transient KMS
+ operation failures.
+``kms.retry.delay.ms`` ``1000`` Base delay in milliseconds for
exponential
+ back-off between retry attempts.
+``kms.operation.timeout.sec`` ``30`` Timeout in seconds for a single
KMS
+ cryptographic operation.
+``kms.rewrap.batch.size`` ``50`` Number of DEKs to rewrap per
background job
+ iteration during KEK rotation.
+``kms.rewrap.interval.ms`` ``300000`` Interval in milliseconds between
background
+ DEK rewrapping runs (default: 5
minutes).
+=============================== =============
=================================================
diff --git a/source/adminguide/storage.rst b/source/adminguide/storage.rst
index d1d0f2f6..186a1e04 100644
--- a/source/adminguide/storage.rst
+++ b/source/adminguide/storage.rst
@@ -602,7 +602,7 @@ can be attached to Instances, detached, re-attached, and
deleted
just as with the other types of data volume.
Local storage is ideal for scenarios where persistence of data volumes
-and HA is not required. Some of the benefits include reduced disk I/O
+and HA is not required. Some of the benefits include reduced disk I/O
latency and cost reduction from using inexpensive local disks.
In order for local volumes to be used, the feature must be enabled for
@@ -618,9 +618,25 @@ If you want to put a host into maintenance mode, you must
first stop any
Instances with local data volumes on that host.
+Volume Encryption
+^^^^^^^^^^^^^^^^^
+
+CloudStack supports LUKS-based volume encryption on KVM. Encrypted volumes are
managed
+through the :ref:`key-management-system`, where you can create and manage the
encryption
+keys used to protect your data.
+
+To create an encrypted volume, select a **KMS Key** from the UI when creating
the volume,
+or supply the key ID via the API. The key must belong to the same zone as the
volume.
+
+.. warning::
+ Deleting the KMS key used to encrypt a volume will render that volume
permanently
+ unrecoverable.
+
+
To Create a New Volume
^^^^^^^^^^^^^^^^^^^^^^
+
#. Log in to the CloudStack UI as a User or admin.
#. In the left navigation bar, click Storage.
@@ -637,6 +653,10 @@ To Create a New Volume
- Disk Offering. Choose the characteristics of the storage.
+ - KMS Key. (Optional) Select a KMS key to enable envelope-based
+ encryption for the volume. Requires KMS to be configured in the zone.
+ See :ref:`key-management-system`.
+
The new volume appears in the list of volumes with the state
“Allocated.” The volume data is stored in CloudStack, but the volume
is not yet ready for use