Deploying the Confidencial Key Server in your environment
PreviousCreating a Cognito user pool to enable S3 bucket access via IDP credentialsNextConfiguring an AWS Elastic Container Service (ESC) instance
Last updated
Last updated
ℹ️ These instructions cover how to provision the Confidencial Key Server (CKS) in your server hosting environment and include the following primary steps:
Instantiate a MySQL database to serve as the CKS DB. There are multiple options to host the CKS DB, including:
An existing MySQL server
A MySQL server running in a Docker container
A MySQL server running in an AWS Relational Database Service (RDS) instance
ℹ️ The CKS DB instance must be accessible from the CKS web server, which you will configure in the subsequent sections of this document.
Once your CKS DB instance is running, create a database within the server. Do this by logging in to your MySQL DB server and executing the command below.
Replace dbname in the command above with the name you wish to use for the CKS DB
After the DB has been created, make sure you create a DB account that has full access to the database (the ability to create and alter tables and the ability to read data from and write data to tables). This can be done by executing the MySQL command below.
Replace dbname with the DB name you assigned and replace username with the user name of the DB account to which you want to grant full access
Obtain a token to access Confidencial’s container registry using the ID and secret provided by Confidencial. Replace <your key ID> and <your secret> in the shell commands below with the Confidencial-provided ID and secret, respectively. Execute the commands below.
➡️ Executing the commands above will result in the CKS docker image being pulled into your current directory. You will now proceed to push this image to your preferred container hosting environment (described in the next section).
Push the CKS container image to your container hosting environment. There are multiple options for hosting docker images, including:
A Kubernetes cluster
AWS’s Elastic Container Service (ECS)
Within an AWS Elastic Compute Cloud (EC2) instance
⚠️ Note that values for `KNEX_USER`, `KNEX_PASSWORD`, and `KNEX_DB_NAME` are wrapped in single quotes. This is done to ensure that special characters and spaces are handled properly.
Launch the CKS container.
⚠️ While users in your enterprise need to be able to reach the CKS web server (port 443) from their client machines, users do not need direct access the the CKS DB. The CKS DB need only be accessible from the CKS web server.
⚠️ You may choose to make the CKS web server available outside your enterprise’s firewall. This permits users to use Confidencial from external networks without the use of a VPN. However, doing so increases the exposure of the CKS, making it more susceptible to attack.
Configure your container hosting environment to route inbound requests from port 443 (TLS) of an enterprise-accessible URI to port 8000 of the CKS web server container.
✅ This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.
ℹ️ The CKS requires users to authenticate using credentials provided by your enterprise identity provider (IDP). Follow the link below to register the CKS as an application within your IDP.
✅ This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.
➡️ Next, Confidencial will provide you with a script to create the necessary tables and relationships in the database. This is referred to as a database migration. See
If not already installed, download the
ℹ️ If you are hosting your own AWS container registry (AWS ECR), see for how to push the pulled key server image to your registry
Set the following environment variables for the CKS container. Replace <your DB URI>, <your DB port>, <your DB username>, <your DB password>, and <your DB name> with the values necessary to connect to the database instantiated .