Updating encryption pages for KES API (#1333)

Our preferred method for authenticating from MinIO to KES is with an API identity. This PR updates encryption docs to reflect this. Closes #1280
2025-07-30 07:03:26 +03:00 · 2024-10-03 12:38:10 -04:00
parent ca34aa7e43
commit 36f5bea8ea
4 changed files with 64 additions and 17 deletions
--- a/source/includes/container/common-minio-kes.rst
+++ b/source/includes/container/common-minio-kes.rst
@ -99,11 +99,21 @@ This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server
   # KES Configurations

   MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
-   MINIO_KMS_KES_CERT_FILE=/certs/minio-kes.cert
-   MINIO_KMS_KES_KEY_FILE=/certs/minio-kes.key
+   MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES> # Replace with the key string for your credentials
   MINIO_KMS_KES_CAPATH=/certs/server.cert
   MINIO_KMS_KES_KEY_NAME=minio-backend-default-key

+.. note::
+   
+   - An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
+
+   - Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
+     
+     API keys are mutually exclusive with certificate-based authentication. 
+     Specify *either* the API key variable *or* the Key File and Cert File variables.
+   
+   - The documentation on this site uses API keys.
+
 MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:

 - Encrypting the MinIO backend (IAM, configuration, etc.)
--- a/source/includes/windows/common-minio-kes.rst
+++ b/source/includes/windows/common-minio-kes.rst
@ -98,11 +98,29 @@ This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server
   # Add these environment variables to the existing environment file

   MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
-   MINIO_KMS_KES_CERT_FILE=|miniocertpath|\minio-kes.cert
-   MINIO_KMS_KES_KEY_FILE=|miniocertpath|\minio-kes.key
+   MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES>
   MINIO_KMS_KES_CAPATH=|miniocertpath|\kes-server.cert
   MINIO_KMS_KES_KEY_NAME=minio-backend-default-key

+
+.. note::
+   
+   - An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
+
+   - Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
+     
+     API keys are mutually exclusive with certificate-based authentication. 
+     Specify *either* the API key variable *or* the Key File and Cert File variables.
+   
+   - The documentation on this site uses API keys.
+
+   .. code-block:: shell
+      :substitions:
+
+      MINIO_KMS_KES_CERT_FILE=|miniocertpath|\minio-kes.cert
+      MINIO_KMS_KES_KEY_FILE=|miniocertpath|\minio-kes.key
+
+
 MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:

 - Encrypting the MinIO backend (IAM, configuration, etc.)