Skip to main content

Platform settings

Key management

The Key management settings section offers configuration options for the Key Management Service (KMS) information needed to seal and unseal secrets used by Otomi. Otomi needs at least one key. It needs one for encrypting/decrypting the otomi-values repo, and one for sealing/unsealing Vault storage.


  • When omitting KMS credentials for SOPS, the secrets in the otomi-values repo will be stored in plain text
  • When omitting KMS credentials for Vault, on startup it will generate its own k8s secret for sealing/unsealing, so be careful not to remove it!

It is advised to provide credentials to an external stable KMS (such as from the cloud the cluster was deployed in), so that unseal keys can always be managed from one central location. The same credentials can be used for both SOPS and Vault.