# MinKMS RELEASE.2026-04-09T16-36-52Z

Released: 2026-04-10

This release adds Entrust KeyControl as a new HSM backend, giving operators an additional enterprise-grade hardware security module option alongside HashiCorp Vault. It also upgrades the Go toolchain to v1.26.2 to address two standard library security vulnerabilities.

---

## Downloads

### Binary Downloads

| Platform | Architecture | Download                                                                                                     |
| -------- | ------------ | ------------------------------------------------------------------------------------------------------------ |
| Linux    | amd64        | [minkms.RELEASE.2026-04-09T16-36-52Z](https://dl.min.io/aistor/minkms/release/linux-amd64/archive/minkms.RELEASE.2026-04-09T16-36-52Z)           |
| Linux    | arm64        | [minkms.RELEASE.2026-04-09T16-36-52Z](https://dl.min.io/aistor/minkms/release/linux-arm64/archive/minkms.RELEASE.2026-04-09T16-36-52Z)           |
| macOS    | amd64        | [minkms.RELEASE.2026-04-09T16-36-52Z](https://dl.min.io/aistor/minkms/release/darwin-amd64/archive/minkms.RELEASE.2026-04-09T16-36-52Z)          |
| macOS    | arm64        | [minkms.RELEASE.2026-04-09T16-36-52Z](https://dl.min.io/aistor/minkms/release/darwin-arm64/archive/minkms.RELEASE.2026-04-09T16-36-52Z)          |
| Windows  | amd64        | [minkms.exe.RELEASE.2026-04-09T16-36-52Z](https://dl.min.io/aistor/minkms/release/windows-amd64/archive/minkms.exe.RELEASE.2026-04-09T16-36-52Z) |

### FIPS Binaries

| Platform | Architecture | Download                                                                                                           |
| -------- | ------------ | ------------------------------------------------------------------------------------------------------------------ |
| Linux    | amd64        | [minkms.RELEASE.2026-04-09T16-36-52Z.fips](https://dl.min.io/aistor/minkms/release/linux-amd64/archive/minkms.RELEASE.2026-04-09T16-36-52Z.fips) |

Each binary also has `.sha256sum`, `.minisig`, and `.asc` signature files available at the same path.

### Container Images

```bash
# Standard
docker pull quay.io/minio/aistor/minkms:RELEASE.2026-04-09T16-36-52Z
podman pull quay.io/minio/aistor/minkms:RELEASE.2026-04-09T16-36-52Z

# FIPS
docker pull quay.io/minio/aistor/minkms:RELEASE.2026-04-09T16-36-52Z.fips
podman pull quay.io/minio/aistor/minkms:RELEASE.2026-04-09T16-36-52Z.fips
```

---

## Security Updates

- **Go v1.26.2 toolchain upgrade** fixes two standard library vulnerabilities (#209):
  - [GO-2026-4864](https://pkg.go.dev/vuln/GO-2026-4864): TOCTOU race condition permits root escape on Linux via `Root.Chmod` in `os`/`internal/syscall/unix` (linux only)
  - [GO-2026-4865](https://pkg.go.dev/vuln/GO-2026-4865): `JsBraceDepth` context tracking bug in `html/template` enables XSS

  **Upgrade recommended for all deployments**, especially those running on Linux.

---

## New Features

- **Entrust KeyControl HSM support** — MinKMS can now use Entrust KeyControl as a hardware security module for sealing and unsealing on-disk state, providing an alternative to HashiCorp Vault (#208). KeyControl integration uses Application Security Vaults with username/password authentication via the KeyControl REST API. Configure it in your server config:

  ```yaml
  hsm:
    entrust:
      keycontrol:
        server: https://10.1.2.3
        vault: "<vault-uuid>"
        key: "<symmetric-key-name>"
        username: "<username>"
        password: "<password>"
  ```

  MinKMS requires `Encrypt`, `Decrypt`, and `Get Keys List` permissions on the KeyControl vault. See the [HSM documentation](https://docs.min.io/enterprise/aistor-key-manager) for full setup instructions.

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-RELEASE.2026-04-09T16-36-52Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-RELEASE.2026-04-09T16-36-52Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-RELEASE.2026-04-09T16-36-52Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing and compliance requirements.

---

## Upgrade Instructions

MinKMS supports rolling upgrades. Upgrade one node at a time, starting with followers:

1. Stop the follower node
2. Replace the `minkms` binary
3. Start the node and wait for it to rejoin the cluster
4. Repeat for remaining followers
5. Upgrade the leader node last

**Important**: Write operations require all nodes to be available. Plan a brief maintenance window for the leader upgrade.

### New Configuration Options

- `hsm.entrust.keycontrol.server` — Entrust KeyControl server URL
- `hsm.entrust.keycontrol.vault` — Application Security Vault UUID
- `hsm.entrust.keycontrol.key` — Symmetric encryption key name
- `hsm.entrust.keycontrol.username` — Vault user credentials
- `hsm.entrust.keycontrol.password` — Vault user credentials

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io