Skip to content
KeyRack

Operator Guide

Running KeyRack in production.

Prerequisites

Section titled “Prerequisites”
  • Rust toolchain (1.80+) or a pre-built container image
  • Storage: SQLite (single-node) or PostgreSQL (recommended for production)
  • TLS certificate for gRPC/REST endpoints
  • External PDP (bundled keyrack-cedar-pdp, OPA, or any HTTP PDP)
  • Optional: PKCS#11 HSM or KMIP HYOK endpoint
  • Optional: NATS server for event distribution

Minimal configuration

Section titled “Minimal configuration”

Set KEYRACK_CONFIG to point to a YAML file:

grpc_addr: "0.0.0.0:50051"
rest_addr: "0.0.0.0:8080"


storage:
  type: sqlite
  path: "/var/lib/keyrack/keyrack.db"


provider:
  type: software        # or: pkcs11, kmip, vault_transit


pdp:
  type: http
  endpoint: "http://localhost:8181/v1/authorize"
  timeout_ms: 5000


audit:
  type: file
  path: "/var/log/keyrack/audit.jsonl"


authn:
  type: bootstrap_token
  max_age_secs: 900

Available providers (today)

Section titled “Available providers (today)”
ProviderConfig typeNotes
SoftwaresoftwareDev and testing
PKCS#11pkcs11SoftHSM, Thales, Entrust, YubiHSM, CloudHSM
Vault Transitvault_transitHashiCorp Vault
KMIP clientkmipRemote HSM / HYOK
In-memoryin_memoryTests only

Multiple providers and routing

Section titled “Multiple providers and routing”

For multi-tenant HYOK or multiple backends, use a providers: list plus provider_routing:

  • Route new keys to a provider by identity tags (e.g. tenant)
  • Per-version provider binding for cross-backend migration
  • Cross-provider ReEncrypt for gradual re-keying

Runnable reference: demo 06 — provider routing.

Quickstart with Docker Compose

Section titled “Quickstart with Docker Compose”
Terminal window
git clone https://github.com/KeyRack-io/keyrack.git
cd keyrack
docker compose up -d keyrack-service

Health and metrics

Section titled “Health and metrics”
EndpointPurpose
GET /healthzLiveness probe
GET /readyzReadiness probe
GET /metricsPrometheus metrics

Deployment modes

Section titled “Deployment modes”
  • Crypto mode (default) — service exposes Encrypt, Decrypt, Sign, Verify. Plaintext transits service memory.
  • Orchestration mode (--no-default-features) — lifecycle and audit only; applications use keyrack-core with direct HSM access.

Full reference

Section titled “Full reference”

The complete operator guide lives in the keyrack-oss repository.

See also: Integration guide · Security model