Updating encryption pages for KES API (#1333)

Our preferred method for authenticating from MinIO to KES is with an API
identity. This PR updates encryption docs to reflect this.

Closes #1280

source/administration/server-side-encryption/server-side-encryption-sse-kms.rst

@@ -146,9 +146,19 @@ MinIO server host in the deployment:
    :class: copyable
 
    export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
-   export MINIO_KMS_KES_KEY_FILE=root.key
-   export MINIO_KMS_KES_CERT_FILE=root.cert
-   export MINIO_KMS_KES_KEY_NAME=my-minio-sse-kms-key
+   export MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES> # Replace with the key string for your credentials
+   export MINIO_KMS_KES_KEY_NAME=my-minio-sse-s3-key
+
+.. note::
+   
+   - An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
+
+   - Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
+     
+     API keys are mutually exclusive with certificate-based authentication. 
+     Specify *either* the API key variable *or* the Key File and Cert File variables.
+   
+   - The documentation on this site uses API keys.
 
 .. list-table::
    :stub-columns: 1
@@ -157,15 +167,14 @@ MinIO server host in the deployment:
    * - :envvar:`MINIO_KMS_KES_ENDPOINT`
      - The endpoint for the MinIO ``Play`` KES service.
 
-   * - :envvar:`MINIO_KMS_KES_KEY_FILE`
-     - The private key file corresponding to an :kes-docs:`identity <concepts/#authorization>` on the KES service. 
-       The identity must grant permission to create, generate, and decrypt keys. 
-       Specify the same identity key file as the ``KES_KEY_FILE`` environment variable in the previous step.
+   * - :envvar:`MINIO_KMS_KES_API_KEY`
+     - The API key :kes-docs:`generated by KES <tutorials/kes-for-minio/#kes-server-setup>` for the MinIO deployment.
+       The identity of the API key must grant permission to create, generate, and decrypt keys. 
 
-   * - :envvar:`MINIO_KMS_KES_CERT_FILE`
-     - The public certificate file corresponding to an :kes-docs:`identity <concepts/#authorization>` on the KES service. 
-       The identity must grant permission to create, generate, and decrypt keys. 
-       Specify the same identity certificate as the ``KES_CERT_FILE`` environment variable in the previous step.
+       The API key is the preferred way to authenticate with the KES server.
+       If circumstances require it, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead.
+       Specify *either* the API key *or* the Key File and Cert File.
+       Do *not* populate all three environment variables.
 
    * - :envvar:`MINIO_KMS_KES_KEY_NAME`
      - The name of the External Key (EK) to use for performing SSE encryption operations. 

source/administration/server-side-encryption/server-side-encryption-sse-s3.rst

@@ -148,10 +148,20 @@ MinIO server host in the deployment:
    :class: copyable
 
    export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
-   export MINIO_KMS_KES_KEY_FILE=root.key
-   export MINIO_KMS_KES_CERT_FILE=root.cert
+   export MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES> # Replace with the key string for your credentials
    export MINIO_KMS_KES_KEY_NAME=my-minio-sse-s3-key
 
+.. note::
+   
+   - An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
+
+   - Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
+     
+     API keys are mutually exclusive with certificate-based authentication. 
+     Specify *either* the API key variable *or* the Key File and Cert File variables.
+   
+   - The documentation on this site uses API keys.
+
 .. list-table::
    :stub-columns: 1
    :widths: 30 80