Deployment
Docs path: Operate / Deployment
The deployment assets stay in the repository root so operators and workflows can reference stable paths:
Hardening Summary
Section titled “Hardening Summary”The service runs as a dedicated openkms:openkms system user and the checked-in
unit enables hardening controls including:
NoNewPrivileges=trueProtectSystem=strictPrivateTmp=truePrivateUsers=trueMemoryDenyWriteExecute=trueSystemCallFilter=@system-service
The YubiHSM connector runs separately and owns USB access. openKMS talks to the connector over HTTP, normally on loopback.
Remote E2E
Section titled “Remote E2E”GitHub-hosted remote smoke tests join Tailscale first, then use
OPENKMS_BASE_URL on the tailnet. The full operator runbook is a
contributor / CI-maintainer reference and is not required for routine
operator deployment:
docs/remote-e2e.md.