In this article, we'll walk you through what's changed in the latest Virtru Private Keystore (VPK) Docker image update, what you need to do (if anything), and what to expect when you pull the new image.
In this article:
Overview
We've released an updated version of the VPK Docker image that introduces KAS (Key Access Service) — an optional new component that enables deeper integration with Virtru's platform.
Here's the short version:
- ✅ KAS is opt-in. If you don't configure it, your VPK deployment will behave exactly as it always has.
- ✅ Your existing endpoints and external port 443 are unchanged.
- ⚠️ The new image is larger than previous releases — expect a longer pull time on first deploy.
- ⚠️ If you enable KAS, there are a few new network and storage requirements to review before upgrading.
- 🚀 Virtru Collaborate is here! If you are an existing VPK customer, you will need to update to this image and enable KAS to use Virtru Collaborate. Head to the Enabling KAS section below to get started.
What's Changed in the Image
Even if you're not enabling KAS, the underlying image has been updated and will look different than previous builds. The new image bundles several additional components that support the optional KAS feature:
- PostgreSQL 16 — an internal database used by KAS (not externally accessible)
- KAS binary — the Go-based Key Access Service
- Caddy — a reverse proxy that handles internal traffic routing
- supervisord — a process manager that orchestrates all running services
- OpenSSL 3.4.1 — updated for the latest security fixes
Because of these additions, the image is noticeably larger than previous VPK-only releases. If you're on a slower connection or have tight maintenance windows, we recommend pre-pulling the image ahead of your planned deployment.
All services are managed by supervisord in this release. For customers not enabling KAS, supervisord simply runs VPK and Caddy — KAS and PostgreSQL remain dormant. The external behavior of your deployment is identical to before.
Do I Need to Do Anything?
It depends on whether you're enabling KAS.
Not Enabling KAS
No action is required beyond pulling the new image. Your configuration, endpoints, and behavior remain the same.
Enabling KAS
Enabling KAS does require a few additional steps before upgrading, including firewall and network rule updates, and configuring persistent storage for key metadata. For full setup instructions, see Enabling KAS in VPK.
Questions or Issues?
If you run into anything unexpected after upgrading, please reach out to Virtru Support and we'll be happy to help.