minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-28 19:42:10 +03:00
Code Activity

DOCS-IA: Platformize SSE Docs. Hashicorp Pass (#518)

Browse Source 
* Platformization of Data Encryption Docs: Hashicorp Pass

* Platformization of Data Encryption Docs: Hashicorp Pass

* Big pass, CR changes + K8s
This commit is contained in:
Ravind Kumar
2022-08-15 12:53:08 -04:00
committed by GitHub
parent 0e63416cb1
commit 2376fa9924
41 changed files with 1837 additions and 310 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
requirements.txt
View File

@ -1,9 +1,9 @@
docutils == 0.17
docutils == 0.18
sphinx == 4.3.2
sphinx-copybutton == 0.4.0
sphinx-design == 0.0.13
sphinx-copybutton == 0.5.0
sphinx-design == 0.2.0
sphinx-markdown-tables == 0.0.15
Sphinx-Substitution-Extensions == 2020.9.30.0
sphinx-togglebutton === 0.3.0
sphinx-togglebutton === 0.3.2
sphinxcontrib-images === 0.9.4
myst-parser === 0.18.0

1
source/default-conf.py
View File

@ -78,6 +78,7 @@ extlinks = {
'prometheus-docs' : ('https://prometheus.io/docs/%s',''),
'podman-docs' : ('https://docs.podman.io/en/latest/%s',''),
'podman-git' : ('https://github.com/containers/podman/%s',''),
'docker-docs' : ('https://docs.docker.com/%s', ''),
}

48
source/developers/haskell/API.md
View File

@ -385,7 +385,7 @@ __Parameters__
| Param | Type | Description |
|--------------|----------|---------------------------------------------------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `prefix` | _string_ | Prefix of the object names that are partially uploaded. (optional, default `''`) |
| `recursive` | _bool_ | `true` indicates recursive style listing and `false` indicates directory style listing delimited by '/'. (optional, default `false`). |
@ -427,7 +427,7 @@ __Parameters__
| Param | Type | Description |
|----------------------|------------|----------------------------------------------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err, res)` | _function_ | Callback is called with `err` in case of error. `res` is the response object. If no callback is passed, a `Promise` is returned. |
__Example__
@ -451,7 +451,7 @@ __Parameters__
| Param | Type | Description |
|--------------------|------------|----------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `versioningConfig` | _object_ | Versioning Configuration e.g: `{Status:"Enabled"}` |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -477,7 +477,7 @@ __Parameters__
| Param | Type | Description |
|---------------------|------------|--------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `replicationConfig` | _object_ | replicationConfig Configuration as a JSON Object |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -522,7 +522,7 @@ __Parameters__
| Param | Type | Description |
|------------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err, replicationConfig)` | _function_ | Callback is called with `err` in case of error. else returns the info in`replicationConfig` ,which contains`{role: __string__, rules:__Array__ }`. |
__Example__
@ -545,7 +545,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|-------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
__Example__
@ -568,7 +568,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|-----------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `tags` | _object_ | Tags map Configuration e.g: `{<tag-key-1>:<tag-value-1>}` |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -591,7 +591,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|-------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
__Example__
@ -613,7 +613,7 @@ __Parameters__
| Param | Type | Description |
|---------------------------|------------|-------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err, tagsList)` | _function_ | Callback is called with `err` in case of error. |
__Example__
@ -636,7 +636,7 @@ __Parameters__
| Param | Type | Description |
|-------------------|------------|------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `lifecycleConfig` | _object_ | Valid Lifecycle Configuration or ( `null` or `''` ) to remove policy configuration |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -675,7 +675,7 @@ __Parameters__
| Param | Type | Description |
|------------------------------------|------------|---------------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(error, lifecycleConfig)` | _function_ | Callback is called with `lifecycleConfig` in case of success. Otherwise it is called with `error` |
__Example__
@ -697,7 +697,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|-------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
__Example__
@ -722,7 +722,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `lockConfig` | _object_ | Lock Configuration can be either `{}` to reset or object with all of the following key/value pairs: `{mode: ["COMPLIANCE"/'GOVERNANCE'], unit: ["Days"/"Years"], validity: <a-valid-number-for-unit>}` |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -760,7 +760,7 @@ __Parameters__
| Param | Type | Description |
|-----------------------------|------------|-------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err, lockConfig)` | _function_ | Callback is called with `err` in case of error. else it is called with lock configuration |
__Example __
@ -785,7 +785,7 @@ __Parameters__
| Param | Type | Description |
|--------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `encryptionConfig` | _object_ | Encryption Configuration can be either omitted or `{}` or a valid and supported encryption config. by default: `{Rule:[{ApplyServerSideEncryptionByDefault:{SSEAlgorithm:"AES256"}}]}` is applied. |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -823,7 +823,7 @@ __Parameters__
| Param | Type | Description |
|----------------------------|------------|-------------------------------------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err, encConfig)` | _function_ | Callback is called with `err` in case of error. else it is called with lock configuration |
__Example __
@ -848,7 +848,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|-------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
__Example __
@ -1473,7 +1473,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|---------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `objectName` | _string_ | Name of the object. |
| `tags` | _object_ | Tags map Configuration e.g: `{<tag-key-1>:<tag-value-1>}` |
| `putOpts` | _object_ | Default is {}. e.g `{versionId:"my-version-id"}`. (Optional) |
@ -1510,7 +1510,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|---------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `objectName` | _string_ | Name of the object. |
| `removeOpts` | _object_ | Defaults to {}. e.g `{versionId:"my-version-id"}`. (Optional) |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -1547,7 +1547,7 @@ __Parameters__
| Param | Type | Description |
|-----------------|------------|---------------------------------------------------------------|
| `bucketname` | _string_ | Name of the bucket. |
| `bucketName` | _string_ | Name of the bucket. |
| `objectName` | _string_ | Name of the object. |
| `getOpts` | _object_ | Defaults to {}. e.g `{versionId:"my-version-id"}`. (Optional) |
| `callback(err)` | _function_ | Callback is called with `err` in case of error. |
@ -1912,8 +1912,16 @@ policy.setExpires(expires)
// Only allow 'text'.
policy.setContentType('text/plain')
// Set content disposition response header.
policy.setContentDisposition('attachment; filename=text.txt')
// Only allow content size in range 1KB to 1MB.
policy.setContentLengthRange(1024, 1024*1024)
// Set key-value user defined metadata
policy.setUserMetaData({
key: 'value'
})
```
POST your content from the browser using `superagent`:

31
source/extra/kes.service Normal file
View File

@ -0,0 +1,31 @@
[Unit]
Description=KES
Documentation=https://github.com/minio/kes/wiki
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/kes
[Service]
WorkingDirectory=/etc/kes/
User=kes
Group=kes
ProtectProc=invisible
ExecStart=/usr/local/bin/kes server --config=/etc/kes/config.yaml
# Let systemd restart this service always
Restart=always
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of threads this process can create
TasksMax=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no
[Install]
WantedBy=multi-user.target

BIN
source/images/k8s/operator-create-tenant-audit-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
source/images/k8s/operator-create-tenant-configure.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
source/images/k8s/operator-create-tenant-encryption-aws.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

BIN
source/images/k8s/operator-create-tenant-encryption-azure.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
source/images/k8s/operator-create-tenant-encryption-gcp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

BIN
source/images/k8s/operator-create-tenant-encryption-gemalto.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
source/images/k8s/operator-create-tenant-encryption-vault.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
source/images/k8s/operator-create-tenant-encryption.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

BIN
source/images/k8s/operator-create-tenant-identity-provider-adldap.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
source/images/k8s/operator-create-tenant-identity-provider-builtin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
source/images/k8s/operator-create-tenant-identity-provider-openid.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
source/images/k8s/operator-create-tenant-images.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

BIN
source/images/k8s/operator-create-tenant-monitoring.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
source/images/k8s/operator-create-tenant-pod-placement-anti-affinity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
source/images/k8s/operator-create-tenant-pod-placement-node-selector.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
source/images/k8s/operator-create-tenant-security.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
source/images/k8s/operator-create-tenant-setup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

13
source/includes/common-minio-kes.rst
View File

@ -32,19 +32,6 @@ For instructions on enabling TLS on the MinIO server, see :ref:`minio-tls`.
.. end-kes-network-encryption-desc
.. start-kes-podman-desc
The procedures on this page use the |podman| daemonless container engine for
running OCI containers. Podman is a drop-in replacement for Docker.
This procedure assues running Podman in
:podman-git:`"rootless" <blob/main/docs/tutorials/rootless_tutorial.md>`.
Defer to the Podman documentation for installing and configuring Podman to
run in rootless mode.
.. end-kes-podman-desc
.. start-kes-download-desc
You can download the KES binary for running in baremetal environments,

113
source/includes/common/common-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,113 @@
.. start-kes-configuration-hashicorp-vault-desc
|KES| uses a YAML-formatted configuration file.
The following YAML provides the minimum required fields for using Hashicorp Vault as the root |KMS| and is intended for use in this tutorial.
.. code-block:: shell
:class: copyable
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: ~/minio-kes-vault/certs/kes-server.key
cert: ~/minio-kes-vault/certs/kes-server.cert
# Sets access policies for KES
# The `minio` policy grants access to the listed APIs.
policy:
minio:
allow:
- /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/*
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes tool identity of minio-kes.cert'
# In production environments, each client connecting to KES must
# Have their TLS hash listed under at least one `policy`.
# Specify the connection information for the Vault server.
# The endpoint should be resolvable from the host.
# This example assumes that Vault is configured with an AppRole ID and
# Secret for use with KES.
keystore:
vault:
endpoint: https://HOSTNAME:8200
approle:
id: "VAULTAPPID" # Hashicorp Vault AppRole ID
secret: "VAULTAPPSECRET" # Hashicorp Vault AppRole Secret ID
retry: 15s
status:
ping: 10s
# Required if Vault uses certificates signed by an unknown CA,
# e.g. self-signed or internal (non-globally trusted).
# Replace this value with the full path to the Vault CA certificate.
tls:
ca: vault-tls-CA.cert
.. end-kes-configuration-hashicorp-vault-desc
.. start-kes-prereq-hashicorp-vault-desc
This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io/>`__ installation accessible from the local host.
The Vault `Quick Start <https://learn.hashicorp.com/tutorials/vault/getting-started-install>`__ provides a sufficient foundation for the purposes of this procedure.
Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.
MinIO |KES| supports both the V1 and V2 Vault engines.
Select the corresponding tab to the engine used by your Vault deployment for instructions on configuring the necessary permissions:
.. tab-set::
.. tab-item:: Vault Engine V1
Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
.. code-block:: shell
:class: copyable
path "kv/*" {
capabilities = [ "create", "read", "delete" ]
}
Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``.
.. tab-item:: Vault Engine V2
Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
.. code-block:: shell
:class: copyable
path "kv/data/*" {
capabilities = [ "create", "read"]
path "kv/metadata/*" {
capabilities = [ "list", "delete"]
Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``
MinIO requires using AppRole authentication for secure communication with the Vault server.
The following commands:
- Create an App Role ID for |KES|
- Binds that role to the created KES policy
- Requests a RoleID and SecretID
.. code-block:: shell
:class: copyable
vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m
vault write auth/approle/role/kes-role policies=kes-policy
vault read auth/approle/role/kes-role/role-id
vault write -f auth/approle/role/kes-role/secret-id
You must specify both RoleID and SecretID as part of this procedure.
.. end-kes-prereq-hashicorp-vault-desc

288
source/includes/common/common-minio-kes.rst Normal file
View File

@ -0,0 +1,288 @@
.. The following sections are common installation instructions for the KES
server. These are used in the following pages:
- /source/security/server-side-encryption/configure-minio-kes-hashicorp.rst
- /source/security/server-side-encryption/configure-minio-kes-aws.rst
- /source/security/server-side-encryption/configure-minio-kes-azure.rst
- /source/security/server-side-encryption/configure-minio-kes-gcp.rst
.. start-kes-encrypted-backend-desc
Enabling |SSE| on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.
MinIO *requires* access to KES *and* the root KMS to decrypt the backend and start normally.
You cannot disable KES later or "undo" the |SSE| configuration at a later point.
.. end-kes-encrypted-backend-desc
.. start-kes-new-existing-minio-deployment-desc
This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable |SSE| via KES and the root KMS.
For instructions on new production deployments, see the :ref:`Multi-Node Multi-Drive (Distributed) <minio-mnmd>` tutorial.
For instructions on new local or evaluation deployments, see the :ref:`Single-Node Single-Drive <minio-snsd>` tutorial.
When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support |SSE|.
For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.
.. end-kes-new-existing-minio-deployment-desc
.. start-kes-generate-kes-certs-desc
The following commands create two TLS certificates that expire within 30 days of creation:
- A TLS certificate for KES to secure communications between it and the Vault deployment
- A TLS certificate for MinIO to perform mTLS authentication to KES.
.. admonition:: Use Caution in Production Environments
:class: important
**DO NOT** use the TLS certificates generated as part of this procedure for
any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate
generation and management. A complete guide to creating valid certificates
(e.g. well-formed, current, and trusted) is beyond the scope of this
procedure.
.. code-block:: shell
:class: copyable
kes tool identity new \
--key ~/minio-kes-vault/certs/kes-server.key \
--cert ~/minio-kes-vault/certs/kes-server.cert \
--ip "127.0.0.1" \
--dns localhost
kes tool identity new \
--key ~/minio-kes-vault/certs/minio-kes.key \
--cert ~/minio-kes-vault/certs/minio-kes.cert \
--ip "127.0.0.1" \
--dns localhost
These commands output the keys to the ``~/minio-kes-vault/certs`` directory on the host operating system.
The ``--ip`` and ``--dns`` parameters set the IP and DNS ``SubjectAlternativeName`` for the certificate.
The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via ``localhost`` or ``127.0.0.1``.
You can specify additional IP or Hostnames based on the network configuration of your local host.
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` certificate as a trusted Certificate Authority. See the `Hashicorp Server Configuration Documentation <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
.. end-kes-generate-kes-certs-desc
.. start-kes-run-server-desc
The first command allows |KES| to use the `mlock <http://man7.org/linux/man-pages/man2/mlock.2.html>`__ system call without running as root.
``mlock`` ensures the OS does not write in-memory data to disk (swap memory) and mitigates the risk of cryptographic operations being written to unsecured disk at any time.
The second command starts the KES server in the foreground using the configuration file created in the last step.
The ``--auth=off`` disables strict validation of client TLS certificates.
Using self-signed certificates for either the MinIO client or the root KMS server requires specifing this option.
.. code-block:: shell
:class: copyable
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which kes))
kes server --mlock \
--config=~/minio-kes-vault/config/server-config.yaml \
--auth=off
|KES| listens on port ``7373`` by default.
You can monitor the server logs from the terminal session.
If you run |KES| without tying it to the current shell session (e.g. with ``nohup``), use that method's associated logging system (e.g. ``nohup.txt``).
.. end-kes-run-server-desc
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to add a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
.. code-block:: shell
:class: copyable
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=~/minio-kes-vault/minio-kes.key
export KES_CLIENT_CERT=~/minio-kes-vault/minio-kes.cert
kes key create -k encrypted-bucket-key
.. end-kes-generate-key-desc
.. start-kes-configuration-minio-desc
Add the following lines to the MinIO Environment file on each MinIO host.
See the tutorials for :ref:`minio-snsd`, :ref:`minio-snmd`, or :ref:`minio-mnmd` for more detailed descriptions of a base MinIO environment file.
This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server.cert`` certificates are accessible at the specified location:
.. code-block:: shell
:class: copyable
# Add these environment variables to the existing environment file
MINIO_KMS_KES_ENDPOINT=https://HOSTNAME:7373
MINIO_KMS_KES_CERT_FILE=~/minio-kes-vault/certs/minio-kes.cert
MINIO_KMS_KES_KEY_FILE=~/minio-kes-vault/certs/minio-kes.key
MINIO_KMS_KES_CAPATH=~/minio-kes-vault/certs/kes-server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
minio server [ARGUMENTS]
Replace ``HOSTNAME`` with the IP address or hostname of the KES server.
If the MinIO server host machines cannot resolve or reach the specified ``HOSTNAME``, the deployment may return errors or fail to start.
- If using a single KES server host, specify the IP or hostname of that host
- If using multiple KES server hosts, specify the load balancer or reverse proxy managing connections to those hosts.
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not
include a specific |EK|.
- Encrypting objects using :ref:`SSE-S3 <minio-encryption-sse-s3>`.
The ``minio-kes`` certificates enable mTLS between the MinIO deployment and the KES server *only*.
They do not otherwise enable TLS for other client connections to MinIO.
.. end-kes-configuration-minio-desc
.. start-kes-enable-sse-kms-desc
You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
.. tab-set::
.. tab-item:: MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9090 in your preferred browser and logging in with the root credentials specified to the MinIO container.
If you deployed MinIO using a different Console listen port, substitute ``9090`` with that port value.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
The following commands:
- Create a new :ref:`alias <alias>` for the MinIO deployment
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
.. code-block:: shell
:class: copyable
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function.
You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.
.. end-kes-enable-sse-kms-desc
.. -----------------------------------------------------------------------------
.. The following sections are common descriptors associated to the KES
configuration.
.. start-kes-conf-address-desc
The network address and port the KES server listens to on startup.
Defaults to port ``7373`` on all host network interfaces.
.. end-kes-conf-address-desc
.. start-kes-conf-root-desc
The identity for the KES superuser (``root``) identity.
Clients connecting with a TLS certificate whose hash (``kes tool identity of client.cert``) matches this value have access to all KES API operations.
Specify ``disabled`` to remove the root identity and rely only on the ``policy`` configuration for controlling identity and access management to KES.
.. end-kes-conf-root-desc
.. start-kes-conf-tls-desc
The TLS private key and certificate used by KES for establishing TLS-secured communications.
Specify the full path for both the private ``.key`` and public ``.cert`` to the ``key`` and ``cert`` fields, respectively.
.. end-kes-conf-tls-desc
.. start-kes-conf-policy-desc
Specify one or more :minio-git:`policies <kes/wiki/Configuration#policy-configuration>` to control access to the KES server.
MinIO |SSE| requires access to the following KES cryptographic APIs:
- ``/v1/key/create/*``
- ``/v1/key/generate/*``
- ``/v1/key/decrypt/*``
Specifying additional keys does not expand MinIO |SSE| functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations.
You can restrict the range of key names MinIO can create as part of performing
|SSE| by specifying a prefix before the ``*``. For example,
``minio-sse-*`` only grants access to create, generate, or decrypt keys using
the ``minio-sse-`` prefix.
|KES| uses mTLS to authorize connecting clients by comparing the
hash of the TLS certificate against the ``identities`` of each configured
policy. Use the ``kes tool identity of`` command to compute the identity of the
MinIO mTLS certificate and add it to the ``policy.<NAME>.identities`` array
to associate MinIO to the ``<NAME>`` policy.
.. end-kes-conf-policy-desc
.. start-kes-conf-keys-desc
Specify an array of keys which *must* exist on the root KMS for |KES| to
successfully start. KES attempts to create the keys if they do not exist and
exits with an error if it fails to create any key. KES does not accept any
client requests until it completes validation of all specified keys.
.. end-kes-conf-keys-desc
.. -----------------------------------------------------------------------------
.. The following sections include common admonitions/notes across all KES
properties. These are used in the following pages:
- /source/security/server-side-encryption/server-side-encryption-sse-kms.rst
- /source/security/server-side-encryption/server-side-encryption-sse-s3.rst
- /source/security/server-side-encryption/server-side-encryption-sse-c.rst
.. start-kes-play-sandbox-warning
.. important::
The MinIO KES ``Play`` sandbox is public and grants root access to all
created External Keys (EK). Any |EK| stored on the ``Play`` sandbox may be
accessed or destroyed at any time, rendering protected data vulnerable or
permanently unreadable.
- **Never** use the ``Play`` sandbox to protect data you cannot afford to
lose or reveal.
- **Never** generate |EK| using names that reveal private, confidential, or
internal naming conventions for your organization.
- **Never** use the ``Play`` sandbox for production environments.
.. end-kes-play-sandbox-warning

9
source/includes/container/common-deploy.rst
View File

@ -107,3 +107,12 @@ The instructions include examples for both quay.io and DockerHub:
If your local host firewall permits external access to the MinIO S3 API port, other hosts on the same network can access the MinIO deployment using the IP or hostname for your local host.
.. end-common-deploy-connect-to-minio-service
.. start-common-prereq-container-management-interface
This procedure assumes you have a working `Podman <https://podman.io/getting-started/installation.html>`_ installation configured to run in "Rootfull" mode.
"Rootless" modes may not provide sufficient permissions to run KES with the necessary security settings.
See the relevant :podman-git:`"rootless" documentation <blob/main/docs/tutorials/rootless_tutorial.md>` for more information.
.. end-common-prereq-container-management-interface

216
source/includes/container/common-minio-kes.rst Normal file
View File

@ -0,0 +1,216 @@
.. start-common-deploy-create-pod-and-containers
The commands in this section create the following resources:
- A Podman :podman-docs:`Pod <markdown/podman-pod.1.html>` to facilitate container communications
- A Container for the KES Server configured to use Hashicorp Vault as the Root |KMS|.
- A Container for a MinIO Server running in :ref:`Single-Node Single-Drive Mode <minio-snsd>`.
.. code-block:: shell
:class: copyable
:substitutions:
sudo podman pod create \
-p 9000:9000 -p 9090:9090 -p 7373:7373 \
-v ~/minio-kes-vault/certs:/certs \
-v ~/minio-kes-vault/minio:/mnt/minio \
-v ~/minio-kes-vault/config:/etc/default/ \
-n minio-kes-vault
sudo podman run -dt \
--cap-add IPC_LOCK \
--name kes-server \
--pod "minio-kes-vault" \
-e KES_SERVER=https://127.0.0.1:7373 \
-e KES_CLIENT_KEY=/certs/kes-server.key \
-e KES_CLIENT_CERT=/certs/kes-server.cert \
quay.io/minio/kes:|kes-stable| server \
--mlock --auth \
--config=/etc/default/kes-server-config.yaml \
sudo podman run -dt \
--name minio-server \
--pod "minio-kes-vault" \
-e "MINIO_CONFIG_ENV_FILE=/etc/default/minio" \
quay.io/minio/minio:|minio-latest| server \
--console-address ":9090"
You can verify the status of the containers using the following commands:
.. code-block:: shell
:class: copyable
# Should show three pods - one for the Pod, one for KES, and one for MinIO
sudo podman container ls
If all pods are operational, you can connect to the MinIO deployment by opening your browser to http://127.0.0.1:9000 and logging in with the root credentials specified in the MinIO environment file.
.. end-common-deploy-create-pod-and-containers
.. start-kes-generate-kes-certs-desc
The following commands create two TLS certificates that expire within 30 days of creation:
- A TLS certificate for KES to secure communications between it and the Vault deployment
- A TLS certificate for MinIO to perform mTLS authentication to KES.
.. admonition:: Use Caution in Production Environments
:class: important
**DO NOT** use the TLS certificates generated as part of this procedure for
any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate
generation and management. A complete guide to creating valid certificates
(e.g. well-formed, current, and trusted) is beyond the scope of this
procedure.
.. code-block:: shell
:class: copyable
:substitutions:
podman run --rm \
-v ~/minio-kes-vault/certs:/certs \
quay.io/minio/kes:|kes-stable| identity new \
--key /certs/kes-server.key \
--cert /certs/kes-server.cert \
kes-server
podman run --rm \
-v ~/minio-kes-vault/certs:/certs \
quay.io/minio/kes:|kes-stable| identity new \
--key /certs/minio-kes.key \
--cert /certs/minio-kes.cert \
minio-server
These commands output the keys to the ``~/minio-kes-vault/certs`` directory on the host operating system.
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
.. end-kes-generate-kes-certs-desc
.. start-kes-configuration-minio-desc
Create the MinIO Environment file at ``~/minio-kes-vault/config/minio``.
See the tutorial for :ref:`minio-snsd` for more detailed descriptions of a base MinIO environment file.
This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server.cert`` certificates are accessible at the specified location:
.. code-block:: shell
:class: copyable
MINIO_ROOT_USER=myminioadmin
MINIO_ROOT_PASSWORD=minio-secret-key-change-me
MINIO_VOLUMES="/mnt/data"
# KES Configurations
MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_CERT_FILE=~/minio-kes.cert
MINIO_KMS_KES_KEY_FILE=~/minio-kes.key
MINIO_KMS_KES_CAPATH=~/server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not
include a specific |EK|.
- Encrypting objects using :ref:`SSE-S3 <minio-encryption-sse-s3>`.
The ``minio-kes`` certificates enable for mTLS between the MinIO deployment and the KES server *only*.
They do not otherwise enable TLS for other client connections to MinIO.
KES automatically creates this key if it does not already exist on the root KMS.
.. end-kes-configuration-minio-desc
.. start-kes-run-server-vault-desc
The following commands do the following:
- Create a Pod for the MinIO and KES containers
- Start the KES Container attached to the Pod
- Start the MinIO Container attached to the Pod
The commands include setting an environment variable for the Vault :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
These values automatically substitute into the configuration file when running the container.
All commands assume starting the container in "Rootfull" mode.
"Rootless" configurations may work depending on your local host configuration.
.. code-block:: shell
:class: copyable
:substitutions:
# Creates the Pod named 'minio-kes-vault'
# Exposes ports for MinIO, KES, and Vault for all containers attached to the pod
# Attaches local host volumes to any container in the Pod at the specified paths
sudo podman pod create \
-p 9000:9000 -p 9090:9090 -p 7373:7373 -p 8200:8200 \
-v ~/pods/minio-sse-local/minio:/mnt/data \
-v ~/pods/minio-sse-local/certs:/certs \
-v ~/pods/minio-sse-local/keys:/keys \
-v ~/pods/minio-sse-local/config:/etc/default \
-n minio-kes-vault
# Runs the KES container attached to the `minio-kes-vault` Pod
# Sets environment variables to allow accessing the KES server using the container KES client
# Disables verification of TLS certificates to allow using self-signed client certs
# Enables ``mlock`` system call for better security
# Disables verification of client TLS certificates to support self-signed certs
sudo podman run -t \
--cap-add IPC_LOCK \
--name kes-server \
--pod "minio-kes-vault" \
-e KES_SERVER=https://127.0.0.1:7373 \
-e KES_CLIENT_KEY=/certs/minio-kes.key \
-e KES_CLIENT_CERT=/certs/minio-kes.cert \
-e VAULTAPPID="vault-app-id" \
-e VAULTAPPSECRET="vault-app-secret" \
kes:|kes-stable| server \
--mlock \
--config=/etc/default/kes-server-config.yaml \
--auth=off
# Runs the MinIO container attached to the `minio-kes-vault` Pod
# Sets an environment variable pointing to the MinIO Environment file
# Starts the server with a dedicated console port of ``9090``
sudo podman run -t \
-e "MINIO_CONFIG_ENV_FILE=/etc/default/minio" \
--name "minio" \
--pod "minio-kes-vault" \
minio:|minio-latest| server --console-address ":9090"
You can verify the installation by opening your Internet Browser and navigating to http://127.0.0.1:9090 and logging in with your MinIO Root Credentials.
.. end-kes-run-server-vault-desc
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing
|SSE| operations using that key. Use ``kes key create`` *or*
:mc:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new
External Key (EK) stored on the root KMS server for use with encrypting
the MinIO backend.
.. code-block:: shell
:class: copyable
:substitutions:
sudo podman run --rm \
-e KES_SERVER=https://127.0.0.1:7373 \
-e KES_CLIENT_KEY=~/minio-kes-vault/certs/minio-kes.key \
-e KES_CLIENT_CERT=~/minio-kes-vault/certs/minio-kes.cert \
kes:|kes-stable| key create -k my-new-encryption-key
You can specify any key name as appropriate for your use case, such as a bucket-specific key ``minio-mydata-key``.
.. end-kes-generate-key-desc

149
source/includes/container/steps-configure-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,149 @@
This procedure assumes a single local host machine running the MinIO and KES processes as containers.
As part of this procedure, you will:
- Deploy a |KES| container configured to use `Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
- Create a new |EK| on Vault for use with |SSE|.
- Deploy a MinIO container configured to use the |KES| container for supporting |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
You can use the guidance in this tutorial for deploying MinIO with |SSE| enabled for other container-based topologies.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
Prerequisites
-------------
.. _minio-sse-vault-prereq-vault:
Deploy or Ensure Access to a Hashicorp Vault Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-prereq-hashicorp-vault-desc
:end-before: end-kes-prereq-hashicorp-vault-desc
Install Podman or a Similar Container Management Interface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-deploy.rst
:start-after: start-common-prereq-container-management-interface
:end-before: end-common-prereq-container-management-interface
Use Podman to Deploy MinIO and KES with Hashicorp Vault for SSE
---------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
mkdir -P ~/minio-kes-vault/certs ~/minio-kes-vault/minio ~/minio-kes-vault/config
For Windows hosts, substitute the paths with Windows-style paths, e.g. ``C:\minio-kes-vault\``.
1) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
2) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
Save the configuration file as ``~/minio-kes-vault/config/kes-config.yaml``.
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
podman run --rm \
-v ~/minio-kes-vault/certs:/certs \
kes:v|kes-stable| tool identity of /certs/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
3) Create Pod and Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-common-deploy-create-pod-and-containers
:end-before: end-common-deploy-create-pod-and-containers
4) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
5) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
.. tab-set::
.. tab-item:: MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9090 in your preferred browser and logging in with the root credentials specified to the MinIO container.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
The following commands:
- Create a new :ref:`alias <alias>` for the MinIO deployment
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
.. code-block:: shell
:class: copyable
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function.
You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.

4
source/includes/container/steps-deploy-minio-single-node-single-drive.rst
View File

@ -28,7 +28,7 @@ Select the container management interface of your choice for the relevant comman
podman run -dt \
-p 9000:9000 -p 9090:9090 \
-v PATH:/data/minio \
-v PATH:/mnt/data \
-v /etc/default/minio:/etc/config.env \
-e "MINIO_CONFIG_ENV_FILE=/etc/config.env" \
--name "minio_local" \
@ -45,7 +45,7 @@ Select the container management interface of your choice for the relevant comman
docker run -dt \
-p 9000:9000 -p 9090:9090 \
-v PATH:/data/minio \
-v PATH:/mnt/data \
-v /etc/default/minio:/etc/config.env \
-e "MINIO_CONFIG_ENV_FILE=/etc/config.env" \
--name "minio_local" \

170
source/includes/k8s/common-minio-kes.rst Normal file
View File

@ -0,0 +1,170 @@
.. start-kes-prereq-hashicorp-vault-desc
This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io/>`__ installation accessible from the Kubernetes cluster.
- For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.
- For Vault deployments external to the Kubernetes cluster, you must configure Ingress or a similar network control plane component to allow the MinIO Tenant to establish connectivity to Vault.
Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.
MinIO |KES| supports both the V1 and V2 Vault engines.
Select the corresponding tab to the engine used by your Vault deployment for instructions on configuring the necessary permissions:
.. tab-set::
.. tab-item:: Vault Engine V1
Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
.. code-block:: shell
:class: copyable
path "kv/*" {
capabilities = [ "create", "read", "delete" ]
}
Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``.
.. tab-item:: Vault Engine V2
Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
.. code-block:: shell
:class: copyable
path "kv/data/*" {
capabilities = [ "create", "read"]
path "kv/metadata/*" {
capabilities = [ "list", "delete"]
Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``
MinIO requires using AppRole authentication for secure communication with the Vault server.
The following commands:
- Create an App Role ID for |KES|
- Binds that role to the created KES policy
- Requests a RoleID and SecretID
.. code-block:: shell
:class: copyable
vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m
vault write auth/approle/role/kes-role policies=kes-policy
vault read auth/approle/role/kes-role/role-id
vault write -f auth/approle/role/kes-role/secret-id
You must specify both RoleID and SecretID as part of this procedure.
.. end-kes-prereq-hashicorp-vault-desc
.. start-kes-enable-sse-kms-desc
You can use either the MinIO Tennat Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
.. tab-set::
.. tab-item:: MinIO Tenant Console
You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the MinIO Tenant Console service to your local host machine for simplified access:
.. code-block:: shell
:class: copyable
# Replace 'minio-tenant' with the name of the MinIO Tenant
# Replace '-n minio' with the namespace of the MinIO Tenant
kubectl port-forward svc/minio-tenant-console 9443:9443 -n minio
Open the MinIO Console by navigating to http://127.0.0.1:9443 in your preferred browser and logging in with the root credentials for the deployment.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.
Run this command in a separate Terminal or Shell:
.. code-block:: shell
:class: copyable
# Replace '-n minio' with the namespace of the MinIO deployment
# If you deployed the Tenant without TLS you may need to change the port range
# You can validate the ports in use by running
# kubectl get svc/minio -n minio
kubectl port forward svc/minio 443:443 -n minio
The following commands in a new Terminal or Shell window:
- Create a new :ref:`alias <alias>` for the MinIO deployment
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
.. code-block:: shell
:class: copyable
mc alias set k8s https://127.0.0.1:443 ROOTUSER ROOTPASSWORD
mc mb k8s/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucket
Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function.
You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.
.. end-kes-enable-sse-kms-desc
.. start-kes-generate-key-desc
MinIO requires that the |EK| for a given bucket or object exist on the root KMS *before* performing |SSE| operations using that key.
You can use the :mc:`mc admin kms key create` command against the MinIO Tenant.
You must ensure your local host can access the MinIO Tenant pods and services before using :mc:`mc` to manage the Tenant.
You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.
Run this command in a separate Terminal or Shell:
.. code-block:: shell
:class: copyable
# Replace '-n minio' with the namespace of the MinIO deployment
# If you deployed the Tenant without TLS you may need to change the port range
# You can validate the ports in use by running
# kubectl get svc/minio -n minio
kubectl port forward svc/minio 443:443 -n minio
The following commands in a new Terminal or Shell window:
- Connect a local :mc:`mc` client to the Tenant.
- Create the encryption key.
See :ref:`mc-install` for instructions on installing ``mc`` on your local host.
.. code-block:: shell
:class: copyable
# Replace USERNAME and PASSWORD with a user on the tenant with administrative permissions
# such as the root user
mc alias add k8s https://localhost:443 ROOTUSER ROOTPASSWORD
# Replace my-new-key with the name of the key you want to use for SSE-KMS
mc admin kms key create k8s encrypted-bucket-key
.. end-kes-generate-key-desc

120
source/includes/k8s/steps-configure-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,120 @@
This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation.
As part of this procedure, you will:
- Use the MinIO Operator Console to create or manage a MinIO Tenant.
- Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using Hashicorp Vault.
- Create a new |EK| on Vault for use with |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
Prerequisites
-------------
.. _minio-sse-vault-prereq-vault:
Deploy or Ensure Access to a Hashicorp Vault Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-prereq-hashicorp-vault-desc
:end-before: end-kes-prereq-hashicorp-vault-desc
Deploy MinIO Tenant with Server-Side Encryption using Hashicorp Vault
---------------------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
2) Complete the :guilabel:`Encryption` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
To enable |SSE| with Hashicorp Vault during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then select the :guilabel:`Vault` Radio button to :guilabel:`Vault` to display the Vault configuration settings.
.. image:: /images/k8s/operator-create-tenant-encryption.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - Encryption Section
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - Endpoint
- The hostname or IP address for the Vault service (``https://vault.example.net:8200``) to use for |SSE|.
The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
For Vault services deployed in the *same* Kubernetes cluster as the MinIO Tenant, you can specify either the service's cluster IP *or* its :kube-docs:`DNS hostname <concepts/services-networking/dns-pod-service/>`.
For Vault services external to the Kubernetes cluster, you can specify that external hostname to the MinIO Tenant.
This assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
* - | AppRole ID
| AppRole Secret
- Specify the Vault AppRole ID and AppRole Secret MinIO should use when authenticating to the Vault service.
Review the :ref:`Vault Prerequisites <minio-sse-vault-prereq-vault>` for instructions on generating these values.
MinIO defaults to using the `KV Version 1 <https://www.vaultproject.io/docs/secrets/kv>`__ engine.
You can specify ``v2`` to enable the KV Version 2 engine.
Once you have completed the Vault configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
4) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

78
source/includes/linux/common-minio-kes.rst Normal file
View File

@ -0,0 +1,78 @@
.. start-kes-download-desc
Download the latest stable release (|kes-stable|) of KES from :minio-git:`github.com/minio/kes <kes/releases/latest>`.
Select the binary appropriate for the host OS architecture.
For example, hosts running X86-64 (Intel/AMD64) should download the ``kes-linux-amd64`` package.
The following example code downloads the latest Linux AMD64-compatible binary and moves it to the system ``PATH``:
.. code-block:: shell
:class: copyable
:substitutions:
wget https://github.com/minio/kes/releases/download/v|kes-stable|/kes-linux-amd64 -O /tmp/kes && \
chmod +x /tmp/kes && \
sudo mv /tmp/kes /usr/local/bin
kes --version
For distributed KES topologies, repeat this step and all following KES-specific instructions for each host on which you want to deploy KES.
MinIO strongly recommends configuring a load balancer with a "Least Connections" configuration to manage connections to distributed KES hosts.
.. end-kes-download-desc
.. start-kes-service-file-desc
Create the ``/etc/systemd/system/minio.service`` file on all KES hosts:
.. literalinclude:: /extra/kes.service
:language: shell
You may need to run ``systemctl daemon-reload`` to load the new service file into ``systemctl``.
The ``kes.service`` file runs as the ``kes-user`` User and Group by default.
You can create the user and group using the ``useradd`` and ``groupadd`` commands.
The following example creates the user and group.
These commands typically require root (``sudo``) permissions.
.. code-block:: shell
:class: copyable
groupadd -r kes-user
useradd -M -r -g kes-user kes-user
.. end-kes-service-file-desc
.. start-kes-start-service-desc
Run the following command on each KES host to start the service:
.. code-block:: shell
:class: copyable
systemctl start kes
You can validate the startup by using ``systemctl status kes``.
If the service started successfully, use ``journalctl -uf kes`` to check the KES output logs.
.. end-kes-start-service-desc
.. start-kes-minio-start-service-desc
For new MinIO deployments, run the following command on each MinIO host to start the service:
.. code-block:: shell
:class: copyable
systemctl start minio
For existing MinIO deployments, run the following command on each MinIO host to restart the service:
.. code-block:: shell
:class: copyable
systemctl reload minio
systemctl restart minio
.. end-kes-minio-start-service-desc

135
source/includes/linux/steps-configure-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,135 @@
This procedure assumes a single local host machine running the MinIO and KES processes.
As part of this procedure, you will:
- Deploy a |KES| server configured to use `Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
- Create a new |EK| on Vault for use with |SSE|.
- Deploy a MinIO server configured to use the |KES| container for supporting |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production environments, this procedure provides general guidance on deploying and configuring KES at scale.
Defer to the :ref:`Deploy Distributed MinIO <minio-mnmd>` tutorial for guidance on production-ready MinIO deployments.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
Prerequisites
-------------
.. _minio-sse-vault-prereq-vault:
Deploy or Ensure Access to a Hashicorp Vault Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-prereq-hashicorp-vault-desc
:end-before: end-kes-prereq-hashicorp-vault-desc
Deploy or Ensure Access to a MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-new-existing-minio-deployment-desc
:end-before: end-kes-new-existing-minio-deployment-desc
Deploy MinIO and KES to Enable Server-Side Encryption with Hashicorp Vault
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
mkdir -P ~/minio-kes-vault/certs ~/minio-kes-vault/minio ~/minio-kes-vault/config
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Download KES
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
b. Create the Service File
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-service-file-desc
:end-before: end-kes-service-file-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
Save the configuration file as ``~/minio-kes-vault/config/kes-config.yaml``.
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
kes tool identity of ~/minio-kes-vault/certs/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-start-service-desc
:end-before: end-kes-start-service-desc
b. Start the MinIO Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

4
source/includes/macos/common-installation.rst
View File

@ -29,7 +29,7 @@
:class: copyable
curl -O https://dl.min.io/server/minio/release/darwin-arm64/minio
chmod +x minio
chmod +x ./minio
sudo mv ./minio /usr/local/bin/
.. tab-item:: Binary - amd64
@ -40,7 +40,7 @@
:class: copyable
curl -O https://dl.min.io/server/minio/release/darwin-amd64/minio
chmod +x minio
chmod +x ./minio
sudo mv ./minio /usr/local/bin/
.. end-install-minio-binary-desc

56
source/includes/macos/common-minio-kes.rst Normal file
View File

@ -0,0 +1,56 @@
..start-kes-download-desc
Download the binary of the latest stable KES release (|kes-stable|) from :minio-git:`github.com/minio/kes <kes/releases/>`.
Select the tab corresponding to the architecture for your MacOS hardware.
The command downloads the |kes-stable| binary for that architecture, sets it to executable, and adds it to your system PATH.
.. tab-set::
.. tab-item:: ARM64 (Apple Silicon)
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://github.com/minio/kes/releases/download/v|kes-stable|/kes-darwin-arm64
chmod +x ./kes-darwin-arm64
sudo mv ./kes-darwin-arm64 /usr/local/bin/kes
.. tab-item:: AMD64 (Intel)
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://github.com/minio/kes/releases/download/v|kes-stable|/kes-darwin-amd64
chmod +x ./kes-darwin-amd64
sudo mv ./kes-darwin-amd64 /usr/local/bin/kes
.. end-kes-download-desc
.. start-kes-start-server-desc
Run the following command in a terminal or shell to start the KES server as a foreground process.
.. code-block:: shell
:class: copyable
kes server --mlock --auth --config=~/minio-kes-vault/kes-server-config.yaml
Defer to the documentation for your MacOS Operating System version for instructions on running a process in the background.
.. end-kes-start-server-desc
.. start-kes-minio-start-server-desc
Run the following command in a terminal or shell to start the MinIO server as a foreground process.
.. code-block:: shell
:class: copyable
export MINIO_CONFIG_ENV_FILE=/etc/default/minio
minio server --console-address :9090
.. end-kes-minio-start-server-desc

4
source/includes/macos/quickstart.rst
View File

@ -23,14 +23,14 @@ Procedure
#. **Install the MinIO Server**
.. include:: /includes/macos/common-installation.rst
.. include:: /includes/macos/common-installation.rst
:start-after: start-install-minio-binary-desc
:end-before: end-install-minio-binary-desc
#. **Launch the MinIO Server**
.. include:: /includes/macos/common-installation.rst
.. include:: /includes/macos/common-installation.rst
:start-after: start-run-minio-binary-desc
:end-before: end-run-minio-binary-desc

127
source/includes/macos/steps-configure-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,127 @@
This procedure assumes a single local host machine running the MinIO and KES processes.
As part of this procedure, you will:
- Deploy a |KES| server configured to use `Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
- Create a new |EK| on Vault for use with |SSE|.
- Deploy a MinIO server configured to use the |KES| container for supporting |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production environments, MinIO recommends using Linux hosts.
See the MinIO on Linux documentation for configuring MinIO with KES and Hashicorp Vault.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
Prerequisites
-------------
.. _minio-sse-vault-prereq-vault:
Deploy or Ensure Access to a Hashicorp Vault Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-prereq-hashicorp-vault-desc
:end-before: end-kes-prereq-hashicorp-vault-desc
Deploy or Ensure Access to a MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-new-existing-minio-deployment
:end-before: end-kes-new-existing-minio-deployment
Deploy MinIO and KES to Enable Server-Side Encryption with Hashicorp Vault
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
mkdir -P ~/minio-kes-vault/certs ~/minio-kes-vault/minio ~/minio-kes-vault/config
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
Save the configuration file as ``~/minio-kes-vault/config/kes-config.yaml``.
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
kes tool identity of ~/minio-kes-vault/certs/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

2
source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst
View File

@ -20,7 +20,7 @@ You must keep the shell or terminal session open to keep the process running.
.. include:: /includes/macos/common-installation.rst
:start-after: start-run-minio-binary-desc
:end-before: start-run-minio-binary-desc
:end-before: end-run-minio-binary-desc
4) Connect to the MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

150
source/includes/windows/common-minio-kes.rst Normal file
View File

@ -0,0 +1,150 @@
.. start-kes-generate-kes-certs-desc
The following commands creates two TLS certificates that expire within 30 days of creation:
- A TLS certificate for KES to secure communications between it and the Vault deployment
- A TLS certificate for MinIO to perform mTLS authentication to KES.
.. admonition:: Use Caution in Production Environments
:class: important
**DO NOT** use the TLS certificates generated as part of this procedure for
any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate
generation and management. A complete guide to creating valid certificates
(e.g. well-formed, current, and trusted) is beyond the scope of this
procedure.
.. code-block:: powershell
:class: copyable
C:\kes.exe tool identity new \
--key C:\minio-kes-vault\certs\kes-server.key \
--cert C:\minio-kes-vault\certs\kes-server.cert \
--ip "127.0.0.1" \
--dns localhost
C:\kes tool identity new \
--key C:\minio-kes-vault\certs\minio-kes.key \
--cert C:\minio-kes-vault\certs\minio-kes.cert \
--ip "127.0.0.1" \
--dns localhost
These commands output the keys to the ``C:\minio-kes-vault\certs`` directory on the host operating system.
The ``--ip`` and ``--dns`` parameters set the IP and DNS ``SubjectAlternativeName`` for the certificate.
The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via ``localhost`` or ``127.0.0.1``.
You can specify additional IP or Hostnames based on the network configuration of your local host.
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Server Configuration Documentation <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
.. end-kes-generate-kes-certs-desc
.. start-kes-download-desc
Download the latest stable release (|kes-stable|) of KES from :minio-git:`github.com/minio/kes <kes/releases/latest>`.
The following PowerShell command downloads the latest Windows-compatible binary and moves it to the system ``PATH``:
.. code-block:: powershell
:class: copyable
:substitutions:
Invoke-WebRequest -Uri "https://github.com/minio/kes/releases/download/v|kes-stable|/kes-linux-windows-amd64.exe" -OutFile "C:\kes.exe"
C:\kes.exe --version
.. end-kes-download-desc
.. start-kes-start-server-desc
Run the following command in a terminal or shell to start the KES server as a foreground process.
.. code-block:: powershell
:class: copyable
C:\kes.exe server --auth --config=C:\minio-kes-vault\config\kes-server-config.yaml
Defer to the documentation for your MacOS Operating System version for instructions on running a process in the background.
.. end-kes-start-server-desc
.. start-kes-minio-start-server-desc
Run the following command in a terminal or shell to start the MinIO server as a foreground process.
.. code-block:: powershell
:class: copyable
export MINIO_CONFIG_ENV_FILE=C:\minio-kes-vault\config\minio
C:\minio.exe server --console-address :9090
.. end-kes-minio-start-server-desc
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to create a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
.. code-block:: powershell
:class: copyable
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=C:\minio-kes-vault\certs\minio-kes.key
export KES_CLIENT_CERT=C:\minio-kes-vault\certs\minio-kes.cert
C:\kes.exe key create -k encrypted-bucket-key
.. end-kes-generate-key-desc
.. start-kes-new-existing-minio-deployment-desc
This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable |SSE| via KES and the root KMS.
For instructions on new creating a new deployment, reference the :ref:`Single-Node Single-Drive <minio-snsd>` tutorial.
When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support |SSE|.
For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.
.. end-kes-new-existing-minio-deployment-desc
.. start-kes-configuration-minio-desc
Add the following lines to the MinIO Environment file on the Windows host.
See the tutorials for :ref:`minio-snsd` for more detailed descriptions of a base MinIO environment file.
This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server.cert`` certificates are accessible at the specified location:
.. code-block:: shell
:class: copyable
# Add these environment variables to the existing environment file
MINIO_KMS_KES_ENDPOINT=https://HOSTNAME:7373
MINIO_KMS_KES_CERT_FILE=C:\minio-kes-vault\certs\minio-kes.cert
MINIO_KMS_KES_KEY_FILE=C:\minio-kes-vault\certs\minio-kes.key
MINIO_KMS_KES_CAPATH=C:\minio-kes-vault\certs\kes-server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
minio server [ARGUMENTS]
Replace ``HOSTNAME`` with the IP address or hostname of the KES server.
If the MinIO server host machines cannot resolve or reach the specified ``HOSTNAME``, the deployment may return errors or fail to start.
- If using a single KES server host, specify the IP or hostname of that host
- If using multiple KES server hosts, specify the load balancer or reverse proxy managing connections to those hosts.
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not
include a specific |EK|.
- Encrypting objects using :ref:`SSE-S3 <minio-encryption-sse-s3>`.
The ``minio-kes`` certificates enable mTLS between the MinIO deployment and the KES server *only*.
They do not otherwise enable TLS for other client connections to MinIO.
.. end-kes-configuration-minio-desc

129
source/includes/windows/steps-configure-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,129 @@
This procedure assumes a single local host machine running the MinIO and KES processes.
As part of this procedure, you will:
- Deploy a |KES| server configured to use `Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
- Create a new |EK| on Vault for use with |SSE|.
- Deploy a MinIO server configured to use the |KES| container for supporting |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production baremetal environments, deploy MinIO onto Linux hosts and follow the corresponding documentation for this procedure.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
Prerequisites
-------------
.. _minio-sse-vault-prereq-vault:
Deploy or Ensure Access to a Hashicorp Vault Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-prereq-hashicorp-vault-desc
:end-before: end-kes-prereq-hashicorp-vault-desc
Deploy or Ensure Access to a MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-new-existing-minio-deployment-desc
:end-before: end-kes-new-existing-minio-deployment-desc
Deploy MinIO and KES to Enable Server-Side Encryption with Hashicorp Vault
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: powershell
:class: copyable
New-Item -Path "C:\minio-kes-vault" -ItemType "directory"
New-Item -Path "C:\minio-kes-vault\certs" -ItemType "directory"
New-Item -Path "C:\minio-kes-vault\minio" -ItemType "directory"
New-Item -Path "C:\minio-kes-vault\config" -ItemType "directory"
1) Download KES for Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
Save the configuration file as ``C:\minio-kes-vault\config\kes-config.yaml``.
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
kes tool identity of C:\minio-kes-vault\certs\minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

9
source/operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst
View File

@ -19,7 +19,14 @@ This feature allows access to :ref:`erasure coding dependent features <minio-era
MinIO only starts in |SNSD| mode if the storage volume or path is empty *or* only contain files generated by a previous |SNSD| deployment.
See the documentation on :ref:`SNSD behavior with pre-existing data <minio-snsd-pre-existing-data>` for more information.
For extended development or production environments, deploy MinIO in :guilabel:`Distributed Mode`. See :ref:`deploy-minio-distributed </operations/install-deploy-manage/multi-site-replication>` for more information.
.. cond:: container
For extended development or production environments in orchestrated environments, use the MinIO Kubernetes Operator to deploy a Tenant on multiple worker nodes.
.. cond:: linux
For extended development or production environments, deploy MinIO in a :ref:`Multi-Node Multi-Drive (Distributed) <minio-mnmd>` topology
.. _minio-snsd-pre-existing-data:

275
source/operations/server-side-encryption/configure-minio-kes-hashicorp.rst
View File

@ -16,279 +16,32 @@ Server-Side Object Encryption with Hashicorp Vault Root KMS
.. |KES-git| replace:: :minio-git:`Key Encryption Service (KES) <kes>`
.. |KES| replace:: :abbr:`KES (Key Encryption Service)`
MinIO Server-Side Encryption (SSE) protects objects as part of write operations,
allowing clients to take advantage of server processing power to secure objects
at the storage layer (encryption-at-rest). SSE also provides key functionality
to regulatory and compliance requirements around secure locking and erasure.
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest).
SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses |KES-git| and an
external root Key Management Service (KMS) for performing secured cryptographic
operations at scale. The root KMS provides stateful and secured storage of
External Keys (EK) while |KES| is stateless and derives additional cryptographic
keys from the root-managed |EK|.
MinIO SSE uses |KES-git| and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale.
The root KMS provides stateful and secured storage of External Keys (EK) while |KES| is stateless and derives additional cryptographic keys from the root-managed |EK|.
This procedure does the following:
.. cond:: container
- Configure |KES| to use
`Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
.. include:: /includes/container/steps-configure-minio-kes-hashicorp.rst
- Configure MinIO to use the |KES| instance for supporting |SSE|.
.. cond:: linux
- Configure automatic bucket-default
:ref:`SSE-KMS <minio-encryption-sse-kms>` and
:ref:`SSE-S3 <minio-encryption-sse-s3>`.
.. include:: /includes/linux/steps-configure-minio-kes-hashicorp.rst
Prerequisites
-------------
.. cond:: macos
.. _minio-sse-vault-prereq-vault:
.. include:: /includes/macos/steps-configure-minio-kes-hashicorp.rst
Hashicorp Vault
~~~~~~~~~~~~~~~
.. cond:: k8s
This procedure assumes familiarity with
`Hashicorp Vault <https://www.vaultproject.io/>`__. The
Vault `Quick Start
<https://learn.hashicorp.com/tutorials/vault/getting-started-install>`__
provides a sufficient foundation for the purposes of this procedure.
.. include:: /includes/k8s/steps-configure-minio-kes-hashicorp.rst
MinIO specifically requires the following Vault settings or configurations:
.. cond:: windows
- Enable the Vault K/V engine. KES version 0.15.0 and later support both the
v1 and v2 engines. This procedure uses the v1 engine.
.. include:: /includes/windows/steps-configure-minio-kes-hashicorp.rst
- For K/V v1, create an access policy ``kes-policy.hcl`` with a configuration
similar to the following:
.. code-block:: shell
:class: copyable
path "kv/*" {
capabilities = [ "create", "read", "delete" ]
}
Write the policy to Vault using
``vault policy write kes-policy kes-policy.hcl``.
- For K/V v2, create an access policy ``kes-policy.hcl`` with a configuration
similar to the following:
.. code-block:: shell
:class: copyable
path "kv/data/*" {
capabilities = [ "create", "read"]
path "kv/metadata/*" {
capabilities = [ "list", "delete"]
Write the policy to Vault using
``vault policy write kes-policy kes-policy.hcl``
- Enable Vault AppRole authentication, create an AppRole ID, bind it to
the necessary policy, and request both roleID and secret ID.
.. code-block:: shell
:class: copyable
vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m
vault write auth/approle/role/kes-role policies=kes-policy
vault read auth/approle/role/kes-role/role-id
vault write -f auth/approle/role/kes-role/secret-id
The instructions on this page include configuring and starting Vault for
supporting development/evaluation of MinIO |SSE|. **DO NOT** use these
instructions for deploying Vault for any long-term development or production
environments. Extended development and production environments should defer to
the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for specific
guidance on deployment and configuration.
Network Encryption (TLS)
~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-network-encryption-desc
:end-before: end-kes-network-encryption-desc
Podman Container Manager
~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-podman-desc
:end-before: end-kes-podman-desc
Enable MinIO Server-Side Encryption with Hashicorp Vault
--------------------------------------------------------
The following steps deploy |KES-git| configured to use an existing Hashicorp
Vault deployment as the root KMS for supporting |SSE|. These steps assume the
Vault deployment meets the :ref:`prerequisites <minio-sse-vault-prereq-vault>`.
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
mkdir -P ~/kes/certs ~/kes/config
1) Download the MinIO Key Encryption Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate the TLS Private and Public Key for KES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Generate the TLS Private and Public Key for MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-generate-minio-certs-desc
:end-before: end-kes-generate-minio-certs-desc
4) Create the KES Configuration File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|KES| uses a YAML-formatted configuration file. The following example YAML
specifies the minimum required fields for enabling |SSE| using Hashicorp Vault:
.. code-block:: shell
:class: copyable
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: /data/certs/server.key
cert: /data/certs/server.cert
# Create a policy named 'minio' that grants access to the
# /create, /generate, and /decrypt KES APIs for any key name
# KES uses mTLS to grant access to this policy, where only the client
# whose TLS certificate hash matches one of the "identities" can
# use this policy. Specify the hash of the MinIO server TLS certificate
# hash here.
policy:
minio:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes tool identity of minio-kes.cert'
# Specify the connection information for the Vault server.
# The endpoint should be resolvable from the host.
# This example assumes that Vault is configured with an AppRole ID and
# Secret for use with KES.
keystore:
vault:
endpoint: https://HOSTNAME:8200
approle:
id: "${VAULTAPPID}" # Hashicorp Vault AppRole ID
secret: "${VAULTAPPSECRET}" # Hashicorp Vault AppRole Secret ID
retry: 15s
status:
ping: 10s
# Required if Vault uses certificates signed by an unknown CA,
# e.g. self-signed or internal (non-globally trusted).
tls:
ca: vault-tls.cert
Save the configuration file as ``~/kes/config/kes-config.yaml``. Any field with
value ``${VARIABLE}`` uses the environment variable with matching name as the
value. You can use this functionality to set credentials without writing them to
the configuration file.
- Set ``MINIO_IDENTITY_HASH`` to the output of
``kes tool identity of minio-kes.cert``.
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate
:ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
5) Start KES
~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-run-server-desc
:end-before: end-kes-run-server-desc
6) Generate a Cryptographic Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
You can check the newly created key on the Vault server by running the
``vault kv list kv/`` command, where ``kv/`` is the path to the vault storing
|KES|-generated keys.
7) Configure MinIO to connect to KES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-kes.rst
:start-after: start-kes-configure-minio-desc
:end-before: end-kes-configure-minio-desc
8) Enable Automatic Server-Side Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. tab-set::
.. tab-item:: SSE-KMS
The following command enables SSE-KMS on all objects written to the
specified bucket:
.. code-block:: shell
:class: copyable
mc mb ALIAS/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Replace ``ALIAS`` with the :mc:`alias <mc alias>` of the MinIO
deployment configured in the previous step.
Write a file to the bucket using :mc:`mc cp` or any S3-compatible
SDK with a ``PutObject`` function. You can then run :mc:`mc stat`
on the file to confirm the associated encryption metadata.
.. tab-item:: SSE-S3
The following command enables SSE-S3 on all objects written to the
specified bucket. MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME`
key for performing |SSE|.
.. code-block:: shell
:class: copyable
mc mb ALIAS/encryptedbucket
mc encrypt set SSE-S3 ALIAS/encryptedbucket
Replace ``ALIAS`` with the :mc:`alias <mc alias>` of the MinIO
deployment configured in the previous step.
Write a file to the bucket using :mc:`mc cp` or any S3-compatible
SDK with a ``PutObject`` function. You can then run :mc:`mc stat`
on the file to confirm the associated encryption metadata.
Configuration Reference for Hashicorp Vault
-------------------------------------------