This guide describes how to set up a Thales eToken Fusion with k8s-kms-plugin in a non production environment.
🚧 Work in progress
Unless otherwise specified, the commands from this guide were tested on AlmaLinux 9.6 on an x86_64 platform.
cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.6 (Sage Margay)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.6"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.6 (Sage Margay)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"
ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.6"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.6"
SUPPORT_END=2032-06-01sudo pkcs11-tool \
--module /usr/lib64/pkcs11/libeTPkcs11.so \
--token-label "My Token" \
--login --pin "0000000000" \
--label rsakey \
--id 1212abab \
--keypairgen \
--key-type rsa:2048List objects:
sudo pkcs11-tool \
--module /usr/lib64/pkcs11/libeTPkcs11.so \
--login --pin "0000000000" \
--token-label "My Token" \
--list-objectsPublic Key Object; RSA 2048 bits
label: rsa00eToken
ID: 1212abab
Usage: encrypt, verify, wrap
Access: local
uri: pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1FE250E4F7CD47D9;token=My%20Token;id=%1212abab;object=rsa00eToken;type=public
Private Key Object; RSA
label: rsa00eToken
ID: 1212abab
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
uri: pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1FE250E4F7CD47D9;token=My%20Token;id=%1212abab;object=rsa00eToken;type=private
sudo k8s-kms-plugin \
serve \
--log-level=trace \
--socket /run/user/1000/k8s-kms-plugin.sock \
--p11-lib /usr/lib64/pkcs11/libeTPkcs11.so \
--p11-label "My Token" \
--p11-pin "0000000000" \
--p11-key-id 1212abab \
--algorithm rsa-oaepYou can validate Encryption and Decryption are working by using grpcurl-roundtrip-test.sh.