Install With Docker
In this section, you will deploy the Securosys Key Manager as Docker container using Docker Compose.
The installer only asks for the bootstrap values needed to start the stack and reach TSB. Runtime settings such as OAuth, TOTP, Notifications are configured in the Key Manager UI after installation.
Short Path
- Linux
- macOS (Homebrew Bash)
- Windows PowerShell
- Offline (Linux)
curl -fsSL https://dlarea.securosys.com/software/kms/install.sh | bash
curl -fsSL https://dlarea.securosys.com/software/kms/install.sh | /opt/homebrew/bin/bash
irm https://dlarea.securosys.com/software/kms/install.ps1 | iex
The following command downloads the docker-images as tar-files for later offline installation.
curl -fsSL https://dlarea.securosys.com/software/kms/install.sh | bash -s -- fetch-resources-for-offline-installation
Copy the files to the target host and run:
OFFLINE=true ./install.sh
You can rerun the installer to apply configuration changes, regenerate the compose files, or update the deployment flow.
Prerequisites
- Docker Engine and Docker Compose plugin
- Access to the Securosys image registry
- Empty or dedicated installation directory
- For Cloud TSB: enable
TSB_API_URLandTSB_ACCESS_TOKEN - For On-prem TSB: HSM host, JCE port, Partition name, Partition setup password
Once you begin, the installer will prompt you to answer several setup and configuration questions.
TSB Setup Modes
Early on during the installation, it branches into one of two TSB Setup modes. Depending on which option you want to use, different inputs are required, as outlined below.
| TSB Mode | Installer input |
|---|---|
| Cloud | TSB Access URL, Valid TSB access token (JWT) |
| On-prem | HSM host, JCE port, Partition name and Partition setup password |
Service Selection
During installation, you can choose which optional services to deploy.
- Minimum services (installed by default):
envoy,dashboard,auth,keycore - Optional services (no additional license required):
mcp,discovery,compliance - Optional services (additional license required):
kmip
You can change the optional service selection later on the Key Manager UI in the Administration Add-ons or Subscriptions section, depending on your needs.
Result
Once the installer completes, the following work is completed:
- Create the
keymanager/keymanager.ps1script to run operation tasks on the KMS - Create the
.env,docker-compose.yml, andenvoy.yamlconfiguration files - Pull the required images
- Automatically start the Docker stack
- Print the gateway URL, usually
https://localhost:8443
Continue with Operations.