Config Reference

All environment variables for mero-kms-phala with types, defaults, and descriptions

env vars

config groups

file pin

store backends

Network

Controls the HTTP server binding and CORS configuration.

VariableTypeDefaultDescription

LISTEN_ADDR

SocketAddr

0.0.0.0:8080

Address and port the HTTP server binds to. In production, typically 0.0.0.0:8080 behind a load balancer.

CORS_ALLOWED_ORIGINS

String (CSV)

Comma-separated list of allowed CORS origins. Use * for development or specific domains for production (e.g. https://verify.calimero.network).

dstack Integration

Connection to the Phala dstack runtime for key derivation and TDX quote generation.

VariableTypeDefaultDescription

DSTACK_SOCKET_PATH

PathBuf

/var/run/dstack.sock

Unix domain socket path to the dstack daemon. The KMS communicates with dstack over this socket for key derivation (derive_key) and quote generation (get_quote).

Challenge Store

Configuration for the challenge-response protocol’s nonce store. Supports in-memory (default) or Redis backends.

VariableTypeDefaultDescription

CHALLENGE_TTL_SECS

u64

300

Time-to-live for challenge nonces in seconds. After expiry, the challenge is automatically removed and cannot be used for key release.

MAX_PENDING_CHALLENGES

usize

Maximum number of active (unexpired) challenges per peerId. Requests beyond this limit return 429 RateLimited. Prevents resource exhaustion from a single node.

REDIS_URL

Option<String>

None

Redis connection URL (e.g. redis://localhost:6379). When set, the challenge store uses Redis instead of in-memory storage. Required for multi-instance KMS deployments behind a load balancer.

Trust & Attestation

Controls attestation verification behavior. Warning: disabling enforcement is for development only.

VariableTypeDefaultDescription

ACCEPT_MOCK_ATTESTATION

bool

false

When true, accepts mock/synthetic TDX quotes that don’t require real hardware. Must be false in production. Only useful for local development without TDX hardware.

ENFORCE_MEASUREMENT_POLICY

bool

true

When true, all quote measurements (MRTD, RTMR0–3, TCB status) must match the attestation policy. When false, quotes are parsed but not validated against policy. Must be true in production.

Policy Configuration

Controls how the attestation policy is sourced and validated. The policy defines which TDX measurements are acceptable.

VariableTypeDefaultDescription

MERO_KMS_VERSION

String

required

Version tag for fetching the attestation policy from GitHub releases (e.g. v0.3.0). The KMS fetches https://github.com/calimero-network/mero-tee/releases/download/{version}/policy.json.

MERO_KMS_PROFILE

String

required

The image profile this KMS instance is running. One of debug, debug-read-only, or locked-read-only. Used to select the correct policy variant and for RTMR3 event matching.

MERO_KMS_POLICY_SHA256

Option<String>

None

Optional SHA-256 hash of the expected policy file. If set, the fetched policy is verified against this hash before use. Prevents supply-chain attacks on the policy distribution.

USE_ENV_POLICY

bool

false

When true, reads the policy from environment variables instead of fetching from GitHub releases. Useful for testing or air-gapped deployments.

Key Derivation

Controls the namespace used for deterministic key derivation via dstack.

VariableTypeDefaultDescription

KEY_NAMESPACE_PREFIX

String

calimero/

Prefix for the key derivation path. The full path is {prefix}{peerId}. Different prefixes produce different keys, enabling namespace isolation between environments.

Image Profile Pin

A filesystem-based configuration baked into the VM image at build time.

PathTypeDefaultDescription

/etc/mero-kms/image-profile

file

set at build

A plain-text file containing the image profile name (debug, debug-read-only, or locked-read-only). Written by Ansible during image build. Read at boot to determine which RTMR3 runtime event to emit. This value is measured into RTMR3 and cannot be changed without altering the measurement.

Config Struct

All environment variables are parsed into a typed Config struct at startup. Missing required fields cause an immediate exit with a descriptive error.

pub struct Config {
  // Network
  pub listen_addr: SocketAddr,
  pub cors_allowed_origins: Vec<String>,

  // dstack
  pub dstack_socket_path: PathBuf,

  // Challenges
  pub challenge_ttl: Duration,
  pub max_pending_challenges: usize,
  pub redis_url: Option<String>,

  // Trust
  pub accept_mock_attestation: bool,
  pub enforce_measurement_policy: bool,

  // Policy
  pub mero_kms_version: String,
  pub mero_kms_profile: String,
  pub mero_kms_policy_sha256: Option<String>,
  pub use_env_policy: bool,

  // Keys
  pub key_namespace_prefix: String,
}

AppState

The Axum application state shared across all request handlers.

pub struct AppState {
  pub config: Config,
  pub challenge_store: Box<dyn ChallengeStore>,
  pub policy: Option<AttestationPolicy>, // None until fetched
}

InMemoryStore

Default backend. Uses DashMap for concurrent access. A background task periodically evicts expired challenges. Suitable for single-instance deployments.

RedisStore

Activated when REDIS_URL is set. Uses Redis SETEX for automatic TTL-based expiry. Required when running multiple KMS instances behind a load balancer.