Key Shard Server Deployment


The KSS is controlled via the Command Line Interface (CLI). 

Setup KSS Profile

Install and onboard Atakama on your workstation. The Atakama Profile on your workstation will be used to secure the backup key for the KSS. This Atakama Profile should have at least two mobile devices and at least five total devices (including the workstation). The more devices, the greater the redundancy for business continuity and disaster recovery purposes.

Setup KSS Backup Secure Folder

Create a Secure Folder where the KSS backup key will be stored. For redundancy, this file should be backed up to other locations. Existing data backup policies should be sufficient.

Configure the Policy

Define policies in the %localappdata%\Atakama\keyserver.yml file.

Enable the KSS

Shut down Atakama and run the following command in cmd or Powershell:

atakama keyserver create --backup-path [PATH] [--ignore-security-checks]


atakama keyserver create --backup-path %homepath%\backup-key.txt --ignore-security-checks

If an earlier version of Atakama is being used (Perplexing Puma or earlier), run this command instead:

atakama keyserver enable --backup-path [PATH] [--ignore-security-checks]


atakama keyserver enable --backup-path %homepath%\Atakama\backup-key.txt

The backup path must be within the Atakama Vault in the Secure Folder intended to secure the KSS backup key.

The setup will require a minimum threshold of three (3) devices required to approve and five (5) total devices as part of the profile unless the [--ignore-security-checks] flag is passed.

Adding, removing, or replacing keys and devices should be done via Command Line Interface. 

If it's needed, the following command can create a new KSS backup key if the previous one is lost. The [Path] section in the command should specify the file that will be created:

keyserver save-backup-key [PATH]


keyserver save-backup-key "%homepath%\backup-key.txt"

After initialization, the KSS ID should be output onto the screen. This ID is required to onboard users using the KSS.

WARNING: When using a virtualized server, do not save a KSS snapshot as a backup in case the primary KSS goes down. Atakama does not support backward compatibility in this scenario, and it could lead to loss of data. In addition, VMWare's vMotion is not supported currently as the license activation's signature will not match due to different hardware configuration.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.