Install the required packages :
# debian
sudo apt install softhsm2 opensc
# redhat
sudo yum install epel-release softhsm openscSetup for rootless usage :
sudo cp /etc/softhsm/softhsm2.conf $HOME
sudo chown $USER: $HOME/softhsm2.conf
echo 'export SOFTHSM2_CONF=$HOME/softhsm2.conf' >> $HOME/.bashrc
source $HOME/.bashrc
sudo usermod -aG softhsm $USERLogout and login.
Create a token :
softhsm2-util --init-token --slot 0 --label mylabel --so-pin mysopin --pin mypinCreate the encryption key :
# for debian
export MODULE="/usr/lib/softhsm/libsofthsm2.so"
# for redhat
export MODULE="/usr/lib64/pkcs11/libsofthsm2.so"
# aes kek
pkcs11-tool --module $MODULE --token-label mylabel --pin mypin --keygen --key-type aes:16 --label aes0Start the plugin :
SOCKET="/run/user/$(id -u $USER)/k8s-kms-plugin.sock"
# aes-gcm mode
k8s-kms-plugin serve --socket $SOCKET \
--p11-lib $MODULE --p11-label mylabel --p11-pin mypin --p11-key-label aes0 \
--enable-serverStart a K3S cluster with the proper KMS configuration in encryption-conf.yaml :
curl -sfL https://get.k3s.io | sh -s - \
--kube-apiserver-arg=encryption-provider-config=encryption-conf.yaml