Installing the Stormshield KMaaS via a Docker image

  • You must follow the ANSSI’s recommendations from the ANSSI-FT-082 document, relating to the deployment of Docker containers.

  • You must set up a container orchestration environment (e.g., Kubernetes , Docker Swarm) to automatically manage replication, high availability and container life cycle. For a resilient installation, Stormshield recommends a minimum of 3 instances of the Stormshield KMaaS.

  • The configuration of the container orchestrator depends on the technology used. Refer to your orchestrator's documentation for detailed installation steps and security best practices specific to your environment.

  • Install Docker on each server where you want to run the Stormshield KMaaS. The minimum Docker version supported is 20.1.1. For more information, refer to the Install Docker Engine documentation.

You must contact Stormshield to get the Docker image artifact provided as a compressed folder.

The archive of the Stormshield KMaaS contains the following files:

Location Resource
stormshield-kmaas-{version}.tar

Docker image of the Stormshield KMaaS in .tar format.
config.json.template

Template configuration file for the Stormshield KMaaS.
keks.json.template

Template file for the list of key encryption keys (KEK).
policy.wasm Default security policy module. This module does not enable any security policies.
policy.data.json Data file used by the policy.wasm module.
application-sbom.xml Software Bill Of Materials in the standard CycloneDX format.

The artifact is provided with its sha256sum, docker.zip.sha256sum.txt.

  1. Use the following command in the folder containing the artifact:

    sha256sum --check --status docker.zip.sha256sum.txt

    It must return docker.zip : OK.

  2. If the result is different, do not proceed further and contact Stormshield.

  • Load the image of the Stormshield KMaaS in Docker using the following command:

docker load --input stormshield-kmaas-<version>.tar

  1. Create a dedicated directory to host your configuration, in which you copy the template files provided with the Docker image. Rename the files as follows:

    • config.json: configuration file of the Stormshield KMaaS,

    • keks.json: file containing the list of key encryption keys (KEK).

    In step Configuring the Stormshield KMaaS, you can edit these files directly in this directory.

  2. Make sure that the directory containing the configuration files is available in the container through a volume or using your orchestrator's technology.

    For more information, please refer to your orchestrator documentation.

  3. Ensure that the keks.json file and the private keys are made available in a secure way in the production environment.