Key Wrapping
Configure where the Key Encrypting Key (KEK) is stored — the key that wraps the per-write data-encryption key (DEK) used to encrypt signing key material before it is written to the Kubernetes CRD. By default, the KEK is stored in a Kubernetes Secret in the deployment namespace. The pages below describe how to move the KEK into an external key management service so that an attacker with access to the Kubernetes data store cannot decrypt stored signing keys.
Key wrapping is configured through Helm values in the spirl-system chart, not through Managed Config. Exactly one provider must be configured per Trust Domain Server deployment. If no external provider is configured, the chart falls back to the default Kubernetes Secret.
Key wrapping protects signing keys at rest but does not change where signing operations happen; The Trust Domain Server still holds the decrypted signing key in memory at runtime. To move signing keys entirely into an external KMS or HSM so they never enter server memory, configure a Key Manager instead.
For an in-depth look at how key management works and guidance on choosing the right approach, see the Signing Key Management Guide.
AWS KMS
Encrypt signing keys at rest with AWS KMS.
Azure Key Vault
Encrypt signing keys at rest with Azure Key Vault.
GCP Cloud KMS
Encrypt signing keys at rest with Google Cloud KMS.