This release introduces comprehensive key and cluster lifecycle management, including support for key versioning, "Bring Your Own Key" (BYOK), and dynamic cluster scaling. It also delivers significant performance gains through a redesigned API, enhances security with a granular Identity and Access Management (IAM) system, and improves observability with Prometheus metrics and health endpoints. ### Breaking Changes * **Licensing Model**: The software is no longer licensed under AGPLv3 and now requires a valid MinIO SubNet license for operation. The application will terminate on startup without a valid license and will shut down shortly after a license expires. (#29, #47, #63, #65) * **API Redesign**: The server API has been redesigned to a command-based model over a single `/v1/kms` endpoint for significant performance improvements. All client applications and scripts interacting directly with the API must be updated to use the new interface and the latest SDK. (#43) * **CLI Command Redesign**: The `minkms` CLI syntax has been changed from ` ` (e.g., `minkms key add`) to a verb-first pattern (e.g., `minkms add-key`). All scripts and user workflows must be updated to the new command structure. (#31) * **HSM Configuration**: The environment variable for the software HSM key has been renamed to `MINIO_KMS_HSM_KEY`. The key format has also been updated from `minio:v1:...` to `hsm:...`. All configurations must be updated to reflect these changes. (#11, #37) * **Database Migration Required**: The database schema now includes mandatory initialization metadata. Clusters created with a previous version will fail to start and require a manual migration. (#42) * **Project Rename**: The Go module has been renamed from `github.com/miniohq/kms` to `github.com/miniohq/minkms`. Developers using the project as a library must update their import paths. (#64) * **CLI Command Renames**: The `minkms key dek` and `minkms key dec` commands are now `minkms key generate` and `minkms key decrypt`. The `minkms datakey` command is now `minkms keygen`. Scripts must be updated. (#16, #51) * **Key Version Deletion**: The `minkms key rm` command now removes only the latest key version by default. Use the `--all` flag to delete a key and all its versions. (#20) * **Simplified CLI Operations**: The `add-key`, `rm-key`, and `add-enclave` commands now operate on a single resource at a time to ensure predictable behavior. Scripts creating or deleting multiple resources must be updated to use one command per resource. (#54) ### New Features * **Full Key Lifecycle Management**: Manage cryptographic keys with CLI commands to create (`add-key`), delete (`rm-key`), and view status (`stat-key`). (#13, #33) * **Key Versioning**: Create and manage multiple versions for a single key to streamline key rotation. New versions can be added to an existing key, and specific old versions can be removed. (#20, #25) * **Bring Your Own Key (BYOK)**: Import existing external encryption keys into the KMS for centralized management using the `minkms add-key --import` command. (#49) * **Identity and Access Management (IAM)**: Enforce granular access control by creating identities with distinct privilege levels (`sysadmin`, `admin`, `user`) and assigning them to access policies. (#30, #34, #38, #84) * **Dynamic Cluster Management**: Monitor cluster health, view node status, and dynamically add or remove nodes from a running cluster without service interruption. (#3, #45) * **Cluster Repair and Backup**: Recover a cluster from a loss of write-quorum by manually removing failed nodes. Create a complete backup of the cluster's state for disaster recovery. (#10, #40) * **Observability and Diagnostics**: Integrate with monitoring systems via a `/v1/health/metrics` endpoint for Prometheus. Use `/v1/health/live` and `/v1/health/ready` probes for automated management in containerized environments. Profile server performance with the `minkms pprof` command. (#41, #56, #73) * **Data Encryption Key (DEK) Generation**: Generate and decrypt data keys for use in client-side envelope encryption workflows. (#14) * **Enclave and Policy Management**: Create and manage isolated enclaves and define fine-grained access control policies via the API and CLI. (#1, #2, #21, #22, #46) * **YAML Configuration**: Configure the KMS server using a structured YAML file for easier management and deployment automation. (#36) ### Performance Improvements * **Command Pipelining**: Experience significantly faster bulk read operations, as multiple commands can now be bundled into a single HTTP request, reducing network latency. (#58, #59) * **High-Performance API**: The redesigned command-based API provides substantial performance gains (over 100x in some cases) for workloads with many small, batched operations. (#43) ### Improvements * **Enhanced Cluster Consensus**: The consensus mechanism is now more resilient to network partitions, reducing `partial write` errors and improving cluster availability. (#9) * **Simplified CLI Usability**: The `minkms` CLI now supports batch operations on many commands, accepts an `--api-key` flag for authentication, and features a redesigned, more intuitive help system. (#24, #26, #32, #35, #48, #53, #77) * **Improved CLI Output**: Commands for viewing cluster and enclave status now feature color-coded, human-readable output and a `--json` flag for automation. (#6, #7) * **Multi-Architecture Container Support**: The official container image now supports both `amd64` and `arm64` architectures, enabling native performance on platforms like Apple Silicon and AWS Graviton. (#23) * **Automatic TLS for Development**: The server automatically generates a self-signed TLS certificate on first startup to streamline local development and testing. (#12) * **Simplified Policy Syntax**: KMS access policies can now be written using a more concise and intuitive syntax. (#57) * **Expanded License Support**: The KMS now supports `ENTERPRISE-LITE` and `ENTERPRISE-PLUS` license plans. (#60) * **Integrated Data Integrity**: Secret keys now automatically include a dedicated HMAC key, bundling encryption and data integrity verification into a single object. (#15) ### Bug Fixes * **Corrected Access Policy Enforcement**: Resolved an issue where URL path patterns in access policies were not matched correctly, ensuring path-based rules are now properly enforced. (#4) * **Fixed CLI Output**: The `get-policy` and `get-identity` commands now correctly display the resource name. The `ls-enclave` command output is now properly aligned for readability. (#61, #80) * **Resolved Initial Cluster ID Display**: The Cluster ID is now correctly loaded and displayed in logs upon a server's initial startup. (#55) ### Security Updates * **Go Runtime and Dependency Updates**: The software is now built with Go 1.22.2 and includes updated third-party dependencies, incorporating the latest security patches and performance improvements. (#66, #68, #72)