minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-06 14:42:56 +03:00
Code Activity

Updating encryption pages for KES API (#1333)

Browse Source 
Our preferred method for authenticating from MinIO to KES is with an API
identity. This PR updates encryption docs to reflect this.

Closes #1280
This commit is contained in:
Daryl White
2024-10-03 12:38:10 -04:00
committed by GitHub
parent ca34aa7e43
commit 36f5bea8ea
4 changed files with 64 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
source/administration/server-side-encryption/server-side-encryption-sse-kms.rst
View File

@@ -146,9 +146,19 @@ MinIO server host in the deployment:
:class: copyable :class: copyable
export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373 export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
export MINIO_KMS_KES_KEY_FILE=root.key export MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES> # Replace with the key string for your credentials
export MINIO_KMS_KES_CERT_FILE=root.cert export MINIO_KMS_KES_KEY_NAME=my-minio-sse-s3-key
export MINIO_KMS_KES_KEY_NAME=my-minio-sse-kms-key
.. note::
- An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
- Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
API keys are mutually exclusive with certificate-based authentication.
Specify *either* the API key variable *or* the Key File and Cert File variables.
- The documentation on this site uses API keys.
.. list-table:: .. list-table::
:stub-columns: 1 :stub-columns: 1
@@ -157,15 +167,14 @@ MinIO server host in the deployment:
* - :envvar:`MINIO_KMS_KES_ENDPOINT` * - :envvar:`MINIO_KMS_KES_ENDPOINT`
- The endpoint for the MinIO ``Play`` KES service. - The endpoint for the MinIO ``Play`` KES service.
* - :envvar:`MINIO_KMS_KES_KEY_FILE` * - :envvar:`MINIO_KMS_KES_API_KEY`
- The private key file corresponding to an :kes-docs:`identity <concepts/#authorization>` on the KES service. - The API key :kes-docs:`generated by KES <tutorials/kes-for-minio/#kes-server-setup>` for the MinIO deployment.
The identity must grant permission to create, generate, and decrypt keys. The identity of the API key must grant permission to create, generate, and decrypt keys.
Specify the same identity key file as the ``KES_KEY_FILE`` environment variable in the previous step.
* - :envvar:`MINIO_KMS_KES_CERT_FILE` The API key is the preferred way to authenticate with the KES server.
- The public certificate file corresponding to an :kes-docs:`identity <concepts/#authorization>` on the KES service. If circumstances require it, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead.
The identity must grant permission to create, generate, and decrypt keys. Specify *either* the API key *or* the Key File and Cert File.
Specify the same identity certificate as the ``KES_CERT_FILE`` environment variable in the previous step. Do *not* populate all three environment variables.
* - :envvar:`MINIO_KMS_KES_KEY_NAME` * - :envvar:`MINIO_KMS_KES_KEY_NAME`
- The name of the External Key (EK) to use for performing SSE encryption operations. - The name of the External Key (EK) to use for performing SSE encryption operations.

14
source/administration/server-side-encryption/server-side-encryption-sse-s3.rst
View File

@@ -148,10 +148,20 @@ MinIO server host in the deployment:
:class: copyable :class: copyable
export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373 export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
export MINIO_KMS_KES_KEY_FILE=root.key export MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES> # Replace with the key string for your credentials
export MINIO_KMS_KES_CERT_FILE=root.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-sse-s3-key export MINIO_KMS_KES_KEY_NAME=my-minio-sse-s3-key
.. note::
- An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
- Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
API keys are mutually exclusive with certificate-based authentication.
Specify *either* the API key variable *or* the Key File and Cert File variables.
- The documentation on this site uses API keys.
.. list-table:: .. list-table::
:stub-columns: 1 :stub-columns: 1
:widths: 30 80 :widths: 30 80

14
source/includes/container/common-minio-kes.rst
View File

@@ -99,11 +99,21 @@ This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server
# KES Configurations # KES Configurations
MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373 MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_CERT_FILE=/certs/minio-kes.cert MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES> # Replace with the key string for your credentials
MINIO_KMS_KES_KEY_FILE=/certs/minio-kes.key
MINIO_KMS_KES_CAPATH=/certs/server.cert MINIO_KMS_KES_CAPATH=/certs/server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
.. note::
- An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
- Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
API keys are mutually exclusive with certificate-based authentication.
Specify *either* the API key variable *or* the Key File and Cert File variables.
- The documentation on this site uses API keys.
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations: MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.) - Encrypting the MinIO backend (IAM, configuration, etc.)

22
source/includes/windows/common-minio-kes.rst
View File

@@ -98,11 +98,29 @@ This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server
# Add these environment variables to the existing environment file # Add these environment variables to the existing environment file
MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373 MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_CERT_FILE=|miniocertpath|\minio-kes.cert MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES>
MINIO_KMS_KES_KEY_FILE=|miniocertpath|\minio-kes.key
MINIO_KMS_KES_CAPATH=|miniocertpath|\kes-server.cert MINIO_KMS_KES_CAPATH=|miniocertpath|\kes-server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
.. note::
- An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
- Alternatively, specify the :envvar:`MINIO_KMS_KES_KEY_FILE` and :envvar:`MINIO_KMS_KES_CERT_FILE` instead of :envvar:`MINIO_KMS_KES_API_KEY`.
API keys are mutually exclusive with certificate-based authentication.
Specify *either* the API key variable *or* the Key File and Cert File variables.
- The documentation on this site uses API keys.
.. code-block:: shell
:substitions:
MINIO_KMS_KES_CERT_FILE=|miniocertpath|\minio-kes.cert
MINIO_KMS_KES_KEY_FILE=|miniocertpath|\minio-kes.key
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations: MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.) - Encrypting the MinIO backend (IAM, configuration, etc.)