Zero Knowledge
Important:For ongoing Gateway configuration changes, always use the Gateway Configuration Manager, Akeyless CLI, or Helm values (for Kubernetes) to manage settings for the entire Gateway cluster.
Never configure only a single Gateway instance in a cluster. All instances in a cluster must be managed together using the supported tools above. Configuring only one instance, or making changes to individual containers or pods, will result in configuration drift, inconsistent behavior, and potential security or availability risks.
Avoid per-instance container startup command changes for routine updates. These should only be used for initial bootstrap or emergency recovery, not for ongoing management.
Gateway Zero-Knowledge enables customer-fragment participation for protected Gateway operations.
For architecture concepts, threat model, and distributed cryptographic workflow details, see Zero-Knowledge Encryption SaaS Architecture and DFC Deep Dive.
Use this page for implementation tasks:
- Prepare prerequisites.
- Generate and back up a Customer Fragment.
- Attach the Customer Fragment to Gateway deployment.
- Create DFC keys with Customer Fragment binding.
- Configure machine-identity authentication for Gateway service-to-service flows.
- Validate and troubleshoot deployment behavior.
Prerequisites
Before implementing Gateway Zero-Knowledge, confirm the following:
- A Gateway deployment is running and reachable from the required workloads. For deployment options, see Gateway Overview.
- A Gateway authentication method and access policy are configured. For access configuration details, see Gateway Authentication and Access.
- The identity used for key creation and Gateway operations has the required permissions for DFC key management and Gateway access.
- A secure backup process is defined for Customer Fragment files and values.
- Required network routes to Gateway and Akeyless SaaS services are available. For connectivity requirements, see Gateway Network Connectivity.
Implementation
Use the following sequence to implement Gateway Zero-Knowledge across interfaces and infrastructures.
Step 1: Generate a Customer Fragment (CLI)
akeyless gen-customer-fragment --name <CF-Name> --description MyFirstCF --jsonFor command parameters and additional examples, see CLI Reference: gen-customer-fragment.
Example output:
{
"customer_fragments": [
{
"id": "cf-xyzxyzxyzxyzxyzxyz",
"value": "SomE/CUstOmer/FrAGMenTvALue==",
"description": "MyFirstCF",
"name": "<CF-Name>"
}
]
}Save the output as customer_fragments.json.
Customer Fragments are generated through CLI workflows (or the HSM integration flow), then referenced by Gateway and key-creation workflows. Gateway Console key-creation flows select existing Customer Fragments.
Warning:Back up Customer Fragments securely. Encryption keys created with a Customer Fragment cannot be reconstructed without it.
Step 2: Attach the Customer Fragment to the Gateway
Use these deployment-specific implementation anchors for direct navigation:
- Docker: Authentication, API Key Authentication, Certificates Authentication
- Helm: Authentication, API Key Authentication, Certificates
- Serverless AWS: Authentication, Customer Fragment
- Serverless Azure: Authentication, Customer Fragment
- Docker Compose: Authentication, API Key Authentication, Certificates Authentication
Standalone Docker
Mount customer_fragments.json into /home/akeyless/.akeyless/customer_fragments.json:
docker run -d -p 8000:8000 -p 5696:5696 \
-v /path/to/customer_fragments.json:/home/akeyless/.akeyless/customer_fragments.json \
-e GATEWAY_ACCESS_ID="identity-access-id" \
-e GATEWAY_ACCESS_KEY="identity-access-key" \
--name akeyless-gw akeyless/base:latest-akeylessFor compatibility with older deployments, legacy variables such as ADMIN_ACCESS_ID and ADMIN_ACCESS_KEY can still appear.
Kubernetes with Helm
Create a Kubernetes Secret that contains the customer-fragments key:
kubectl create secret generic gateway-customer-fragments \
--from-file=customer-fragments=./customer_fragments.jsonReference that secret in Helm values:
globalConfig:
customerFragmentsExistingSecret: gateway-customer-fragmentsFor full platform setup flows, see Kubernetes with Helm Deployment.
Other Infrastructures
- Docker Compose Deployment
- Serverless AWS Deployment
- Serverless Azure Deployment
- Azure Container App Deployment
Step 3: Create a DFC Key Bound to the Customer Fragment
Warning:To create a DFC key with Customer Fragment, the identity in use must be allowed in the Gateway access policy.
Create DFC Key from the Akeyless Console
- Open the Gateway Console at
https://<gateway-url>:8000/console. - Go to Items.
- Select New, then Encryption Key, then DFC.
- Specify key parameters, then select the Customer Fragment.
- Select Save.
Create Zero Knowledge Key from the Akeyless CLI
akeyless create-dfc-key --name MyKeyWithMyCF --alg AES256GCM -f <customer-fragment-id>Where:
name: DFC key name.alg: DFC key algorithm.customer-frg-id: Customer Fragment ID used for the DFC key.
For command parameters and additional examples, see CLI Reference: create-dfc-key.
Example output:
A new AES256GCM key named MyKeyWithMyCF was successfully createdStep 4 (Optional): Set a Default Encryption Key in Gateway
Set a default encryption key in Gateway configuration when all newly created items in this Gateway context should use a specific key by default.
Note:Only symmetric keys with
AESGCMalgorithm can be set as default encryption keys.
- Go to Gateways, then the relevant Gateway, then Manage Gateway.
- Go to Defaults.
- Select a key in Default Encryption Key.
- Select Save Changes.
Machine Identity Authentication Mapping
This section lists the supported machine-identity authentication methods for Gateway Zero-Knowledge service-to-service flows.
Authentication methods not listed in this mapping are outside this Gateway service-to-service scope.
Use this mapping to select a supported method and jump to the corresponding implementation guidance:
| Method | Typical workload context | Implementation reference |
|---|---|---|
| API key | Workloads that can securely store and rotate access keys | Authenticate with API key |
| Cloud IAM (AWS, Azure, GCP) | Cloud-native services using platform identity | Authenticate with AWS, Authenticate with Azure, Authenticate with GCP |
| Kubernetes service account | In-cluster workloads using Kubernetes-native identity | Authenticate with Kubernetes |
| Certificate-based authentication | Workloads using client certificate trust chains | Authenticate with certificate |
| Universal Identity | Workloads requiring token-based machine identity across environments | Authenticate with Universal Identity |
For Gateway-specific access delegation controls, see Gateway Authentication and Access.
Troubleshooting
1. Missing Customer Fragment Mount or Secret Key Name
Symptoms include missing fragment errors during CF-protected operations or deployment startup warnings.
Check these items:
- Docker: confirm
customer_fragments.jsonis mounted to/home/akeyless/.akeyless/customer_fragments.json. - Helm: confirm the referenced secret exists and includes key name
customer-fragments. - Serverless: confirm
customer_fragmentspayload is valid JSON and mapped to the deployment parameter.
2. Insufficient Gateway Allowed Access
Symptoms include denied Gateway management actions or inability to complete required operations.
Check these items:
- Confirm the active identity is included in Gateway Allowed Access policy.
- Confirm required Gateway permissions are assigned for the intended operation scope.
- Confirm RBAC policy path permissions also allow the same operation.
3. Authentication Method Mismatch
Symptoms include authentication failures at Gateway startup or request-time authorization errors.
Check these items:
- Confirm auth method type matches deployment configuration (for example
access_key, cloud IAM, certificate, or universal identity). - Confirm required credentials, secrets, or certificates are present and mapped to expected configuration keys.
- For legacy deployments, confirm variable naming consistency when mixing
GATEWAY_*andADMIN_*conventions.