systemd

curl -X GET 'https://github.com/minio/kes/releases/latest/download/kes-linux-amd64' --output kes-linux-amd64

sudo install kes-linux-amd64  /usr/local/bin/kes

useradd kes -s /sbin/nologin

address: 0.0.0.0:7373
admin:
   identity: disabled  # We disable the admin identity since we don't need it in this guide 

tls:
  key:  private.key
  cert: public.crt

policy:
  my-app: 
    allow:
    - /v1/key/create/app-key*
    - /v1/key/generate/app-key*
    - /v1/key/decrypt/app-key*
    identities:
    - ${APP_IDENTITY}

keystore:
  fs:
    path: ./keys # Choose a directory for the secret keys

[Unit]
Description=KES
Documentation=https://github.com/minio/kes/wiki
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/kes

[Service]
WorkingDirectory=/etc/kes/

User=kes
Group=kes
ProtectProc=invisible

ExecStart=/usr/local/bin/kes server --config=/etc/kes/config.yaml

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Specifies the maximum number of threads this process can create
TasksMax=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

# Enable memory locking features used to prevent paging.
AmbientCapabilities=CAP_IPC_LOCK

[Install]
WantedBy=multi-user.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

systemctl enable kes.service

systemctl start kes.service

systemctl stop kes.service