# MinKMS RELEASE.2026-05-20T12-12-28Z

Released: 2026-05-20

This release closes an authorization gap in policy-scoped key listings, hardens HSM/Vault integration when using non-default transit namespaces, and resolves several concurrency and recovery bugs in the storage and cluster layers. Operators running MinKMS in production are encouraged to upgrade — particularly those relying on prefix-scoped policies or Vault HSM with namespaces.

---

## Downloads

### Binary Downloads

| Platform | Architecture | Download                                                                                                                                          |
| -------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| Linux    | amd64        | [minkms.RELEASE.2026-05-20T12-12-28Z](https://dl.min.io/aistor/minkms/release/linux-amd64/archive/minkms.RELEASE.2026-05-20T12-12-28Z)             |
| Linux    | arm64        | [minkms.RELEASE.2026-05-20T12-12-28Z](https://dl.min.io/aistor/minkms/release/linux-arm64/archive/minkms.RELEASE.2026-05-20T12-12-28Z)             |
| macOS    | amd64        | [minkms.RELEASE.2026-05-20T12-12-28Z](https://dl.min.io/aistor/minkms/release/darwin-amd64/archive/minkms.RELEASE.2026-05-20T12-12-28Z)            |
| macOS    | arm64        | [minkms.RELEASE.2026-05-20T12-12-28Z](https://dl.min.io/aistor/minkms/release/darwin-arm64/archive/minkms.RELEASE.2026-05-20T12-12-28Z)            |
| Windows  | amd64        | [minkms.exe.RELEASE.2026-05-20T12-12-28Z](https://dl.min.io/aistor/minkms/release/windows-amd64/archive/minkms.exe.RELEASE.2026-05-20T12-12-28Z)   |

### FIPS Binaries

| Platform | Architecture | Download                                                                                                                                                |
| -------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Linux    | amd64        | [minkms.RELEASE.2026-05-20T12-12-28Z.fips](https://dl.min.io/aistor/minkms/release/linux-amd64/archive/minkms.RELEASE.2026-05-20T12-12-28Z.fips)         |

Each binary also has `.sha256sum`, `.minisig`, and `.asc` signature files available at the same path.

### Container Images

```bash
# Standard
docker pull quay.io/minio/aistor/minkms:RELEASE.2026-05-20T12-12-28Z
podman pull quay.io/minio/aistor/minkms:RELEASE.2026-05-20T12-12-28Z

# FIPS
docker pull quay.io/minio/aistor/minkms:RELEASE.2026-05-20T12-12-28Z.fips
podman pull quay.io/minio/aistor/minkms:RELEASE.2026-05-20T12-12-28Z.fips
```

---

## Security Updates

- **Policy bypass via `ContinueAt` pagination in list requests** (#211) — A client authorized for a specific key/identity/policy prefix could supply a `ContinueAt` cursor pointing outside their allowed range and paginate into resources they were not authorized to access. `ContinueAt` is now subject to the same policy verification as the request prefix, closing the bypass. **Operators relying on prefix-scoped policies for tenant isolation should upgrade.**

---

## Bug Fixes

### HSM / Vault

- Fixed missing `X-Vault-Namespace` header on `computeHMAC` requests when `TransitNamespace` is configured (#213). Previously the HMAC call landed in the wrong (default) namespace, causing Vault to return a permission-denied error that surfaced to users as `failed to generate private key`. Affects deployments using Vault transit with non-default namespaces, especially under Kubernetes auth.
- Fixed connection leaks in the Vault HSM client by ensuring HTTP response bodies are closed on the success path of `encrypt`, `decrypt`, and `computeHMAC` (#214).

### Cluster / Consensus

- Fixed a data race when fetching cluster status information from peers concurrently that could cause status of peer A to be reported as the status of peer B (#215).

### Storage

- Fixed a deadlock in the database restore handler's error recovery path (#217). If `db.Open` failed after the on-disk rename, the handler's deferred `Close` ran before the state lock was released, causing `Server.Close → state.Stop` to block forever on the lock the handler still held. The cluster state lock could remain held indefinitely, hanging any subsequent operation that needed it.
- Fixed a `tx.Rollback` race in `DB.Reader` that could trigger a fatal `sync: RUnlock of unlocked RWMutex` panic when the reader's background `WriteTo` goroutine and `Reader.Close` both rolled back the same read-only bbolt transaction (#216). The reader now gives the goroutine sole ownership of the transaction.

### CLI

- `minkms add-identity`, `get-identity`, and `ls-identities` exited with code 0 and printed nothing on unknown/invalid flags, making CLI failures invisible to wrapping scripts (#218). These commands now print `Error: ...` to stderr and exit with a non-zero code, matching every other subcommand.
- `minkms ls-policies` formatted single-digit days with `%d`, producing misaligned output like `5 Mar 12:34`. The date column now uses `%02d` for consistent two-digit days, matching `ls-enclave`, `ls-identity`, and `ls-key` (#218).

### Other

- Several minor robustness fixes across config, handler-kms, HSM, and crypto (#214):
  - Configuration parse errors for the HSM key now correctly reference `EnvHSMKey` instead of `EnvAPIKey`.
  - Pipelined command validation now distinguishes "read + write mix" from "multiple writes" in the returned error.
  - `createSecretKey`/`importSecretKey` error paths now include the request context in log output instead of emitting empty log lines.
  - Protobuf unmarshal errors for secret keys now log the actual rejected field values (`Type`, `Hash`) instead of the uninitialized struct.

---

## Improvements

- Bumped `golang.org/x/crypto` to v0.51.0, `golang.org/x/sys` to v0.44.0, and `golang.org/x/term` to v0.43.0 to pick up upstream fixes (#219).

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-RELEASE.2026-05-20T12-12-28Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-RELEASE.2026-05-20T12-12-28Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-RELEASE.2026-05-20T12-12-28Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing and compliance requirements.

---

## Upgrade Instructions

MinKMS supports rolling upgrades. Upgrade one node at a time, starting with followers:

1. Stop the follower node
2. Replace the `minkms` binary
3. Start the node and wait for it to rejoin the cluster
4. Repeat for remaining followers
5. Upgrade the leader node last

**Important**: Write operations require all nodes to be available. Plan a brief maintenance window for the leader upgrade.

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io