Database Reference
The Securosys KMIP Server uses a relational database as its persistence layer. It stores object attributes and metadata, user credentials, partition configuration, and access control information.
This page describes:
- Which database systems are supported
- What the KMIP Server database is used for
- Which tables exist and what type of information they store (including data classification)
Supported Databases
The KMIP Server supports the following relational database systems:
- MySQL
- MariaDB
- PostgreSQL
production usage
To ensure compatibility and stability of your production environment, use an LTS version that is still maintained by the respective database vendor.
Active Tables
These tables are actively used by the KMIP Server at runtime.
| Table | Description | Examples / Fields | Contains Secrets/PII? |
|---|---|---|---|
att | Attributes associated with an object. The unique identifier is stored redundantly to allow attribute manipulation without joins to obj. | Unique Identifier, Name, Object Type, Value, Last Change Date, Object Class, Object Group | No secrets (metadata & key attributes only) |
usr | User information including credentials (username/password and/or certificate). | username, cert (Base64), salt, hashed_password, default_obj_group | Secrets (hashed credentials); PII possible (certificate DN data) |
part | Partition information. The database can be logically partitioned, enabling separate administration of KMIP users and server administrative users without requiring separate server instances. | name | No |
priv | Privileges to perform specified actions, expressed as source group → target group with a named privilege. | tgt, name | No |
grp | Group information. Users and objects can be grouped; groups can be nested. The default group is always present. | part, name | No |
scr | Scripts represented as JavaScript programs. | name, value, config | No |
db_version | Schema version and migration script tracking. Checked at server start to confirm the correct schema version is in place. | version, created_at | No |
Unused Tables
The following tables exist in the schema but are not actively used by the KMIP Server in its current configuration. They remain empty or are reserved for future use or specific customer requirements.
| Table | Purpose |
|---|---|
obj | Cryptographic objects including unique identifier and object value. Values hold KMIP TTLV-encoded hex-strings. |
cevent | Reserved (empty) |
chsmlog | Reserved (empty) |
clog | Reserved |
dual | Reserved (empty) |
endpoint | Reserved (empty) |
grplink | Group membership links - unused because the group concept relies on HSM partition-level partitioning |
grptree | Flattened group membership tree for performance - unused (see grplink) |
hsm | HSM management information (empty) |
job | Supports specific customer requirements; not used by the standard base server |
params | Reserved (empty) |
params_att | Reserved (empty) |
params_grp | Reserved (empty) |
poll | Tracks pending state changes for objects (empty) |
state_change | Stores asynchronous results (empty) |
ticket | Reserved (empty) |
tkn | Authentication token management (empty) |