Error: kesconf: no keystore specified

[harshguptaserver]

Cannot start kes server following public documentation as mentioned here : https://min.io/docs/kes/tutorials/getting-started/

Expected behavior

in step 5 "Start KES Server" -> the server should start after running the command :

kes server --config config.yml

observed behavior

The kes server does not start and gives the following error:

~/tmp/minio_kes$ ./kes server --config config.yml 
Error: kesconf: no keystore specified

Additional context

Following is additional helpful information:

kes server :

~/tmp/minio_kes$ ./kes -v
Version    2024-12-30T17-40-21Z   commit=4945c0993cb65a78c00e692b9bf19a1290a632ce
Runtime    go1.23.4 linux/amd64   compiler=gc
License    AGPLv3                 https://www.gnu.org/licenses/agpl-3.0.html
Copyright  2015-2025 MinIO Inc.   https://min.io

commands used for replication:

wget https://github.com/minio/kes/releases/latest/download/kes-linux-amd64
chmod +x kes-linux-amd64 
mv kes-linux-amd64 kes
./kes identity new --ip "127.0.0.1" --key "private.key" --cert "public.crt" localhost
./kes identity new --key=client.key --cert=client.crt MyApp
./kes identity of client.crt
vi config.yml

config.yml

~/tmp/minio_kes$ cat config.yml 
address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373
admin:
  identity: b718<MASKED>f3fae # The client.crt identity
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate

error:

 
~/tmp/minio_kes$ ls
client.crt  client.key  config.yml  kes  private.key  public.crt

~/tmp/minio_kes$ ./kes server --config config.yml 
Error: kesconf: no keystore specified

[shtripat]

A sample config file would look like

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

admin:
  identity: disabled  # We disable the admin identity since we don't need it in this guide 
   
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
   
policy:
  my-app: 
    allow:
    - /v1/key/create/my-key*
    - /v1/key/generate/my-key*
    - /v1/key/decrypt/my-key*
    identities:
    - 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # Use the identity of your client.crt
   
keystore:
   vault:
     endpoint: https://127.0.0.1:8200
     version:  v1 # The K/V engine version - either "v1" or "v2".
     approle:
       id:     "" # Your AppRole ID
       secret: "" # Your AppRole Secret
       retry:  15s
     status:
       ping: 10s
     tls:
       ca: vault.crt # Manually trust the vault certificate since we use self-signed certificates

In you case entry for keystore actually seems to be missing.
Say for HashiCorp Vault KMS as backend, you can refer https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore for more details.

[harshguptaserver]

Thank you @shtripat for the quick response. I am able to run the service now.

I was able to fix it by using the following config:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373
admin:
  identity: b.....ae # The client.crt identity
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
    
keystore:
  fs:
    path: ./keys

QQ: apart from Hashcorp-vault are there any other free, open-source and self-hosted kms services supported ? as more open-source kms support would be appreciated.

It would have been helpful if this was called out in the official documentation that i was following : https://min.io/docs/kes/tutorials/getting-started/

• as someone running it for the first time would be following the link as it is and would face the same error.

[klauspost]

QA: Supported keystores are listed here: https://github.com/minio/kes/wiki#supported-kms-targets