Configuration
Docker deployments use three configuration layers.
| Layer | Location | Purpose | Changed via |
|---|---|---|---|
| Bootstrap | .env | Settings required before unseal | Edit .env, then restart |
| Public runtime config | HSM-stored config | Runtime settings that are not secrets | Key Manager |
| Runtime secrets | HSM-stored secrets | Tokens, passwords, and client secrets | Key Manager |
1. Bootstrap
Use .env only for pre-unseal settings.
Common variables
| Variable | Purpose |
|---|---|
TSB_API_URL | TSB API base URL |
TSB_ACCESS_TOKEN | TSB bearer token |
TSB_VERIFY_TLS | TSB TLS verification |
TSB_TIMEOUT | TSB request timeout |
AUTH_PROVIDER | Bootstrap authentication mode |
APP_SKENC_PATH | sk-app.enc path inside the container |
SEAL_ENVELOPE_PATH | seal.enc path inside the container |
SEAL_WRAPPER_KEY_LABEL | HSM wrapping key label |
KMS_AUTO_INIT | Auto-initialize on first start |
*_HTTP_PORT | Host port mapping |
LOG_LEVEL | Pre-unseal log level |
CORS_ALLOWED_ORIGINS | Pre-unseal CORS allowlist |
IMAGE_REGISTRY | Image registry |
IMAGE_TAG | Image tag |
On-prem TSB
On-prem deployments also write:
TSB_HSM_HOSTTSB_HSM_PORTTSB_HSM_USERNAMETSB_HSM_SETUP_PASSWORDTSB_HSM_PROXY_USERNAMETSB_HSM_PROXY_PASSWORDTSB_HSM_ENCRYPTION_PASSWORD
2. Public Runtime Config
Configure these in the Key Manager after unseal:
- Session and JWT settings
- Login and MFA settings
- OAuth provider parameters
- SMTP and notification settings
- Syslog settings
- Audit log settings
- Module configuration such as KMIP or MCP-backed features
3. Runtime Secrets
warning
Store secret values in the Key Manager, not in .env.
Examples secrets:
- Rotated
TSB_ACCESS_TOKEN - OAuth client secrets
- SMTP password
- Audit signing password
- API keys used by enabled modules