From 42e063b10949b9cbec72a79b2d39fe143f49831b Mon Sep 17 00:00:00 2001
From: Daryl White <53910321+djwfyi@users.noreply.github.com>
Date: Thu, 18 Jan 2024 11:52:32 -0500
Subject: [PATCH] Continuing changes for syncing KES docs and encryption docs

---
 source/operations/server-side-encryption.rst | 87 ++++++++++++++++++--
 1 file changed, 79 insertions(+), 8 deletions(-)

diff --git a/source/operations/server-side-encryption.rst b/source/operations/server-side-encryption.rst
index f50757b9..58df2fdb 100644
--- a/source/operations/server-side-encryption.rst
+++ b/source/operations/server-side-encryption.rst
@@ -19,20 +19,20 @@ allowing clients to take advantage of server processing power to secure objects
 at the storage layer (encryption-at-rest). SSE also provides key functionality
 to regulatory and compliance requirements around secure locking and erasure.
 
-MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) <kes>` and an
+MinIO SSE uses the :kes-docs:`MinIO Key Encryption Service (KES) <>` and an
 external Key Management Service (KMS) for performing secured cryptographic
 operations at scale. MinIO also supports client-managed key management, where
 the application takes full responsibility for creating and managing encryption
 keys for use with MinIO SSE. 
 
-MinIO supports the following |KMS| as the central key store:
+MinIO supports the following |KMS| providers as the central key store:
 
-- :ref:`Hashicorp KeyVault <minio-sse-vault>`
-- :ref:`AWS SecretsManager <minio-sse-aws>`
-- :ref:`Google Cloud SecretManager <minio-sse-gcp>`
-- :ref:`Azure Key Vault <minio-sse-azure>`
-- :minio-git:`Fortanix SDKMS <kes/wiki/Fortanix-SDKMS>`
-- :minio-git:`Thales Digital Identity and Security (formerly Gemalto) <kes/wiki/Gemalto-KeySecure>`
+- :kes-docs:`Azure Key Vault <integrations/azure-keyvault/>`
+- :kes-docs:`AWS SecretsManager <integrations/aws-secrets-manager/>`
+- :kes-docs:`Fortanix SDKMS <integrations/fortanix-sdkms/>`
+- :kes-docs:`Google Cloud SecretManager <integrations/google-cloud-secret-manager/>`
+- :kes-docs:`Hashicorp KeyVault <integrations/hashicorp-vault-keystore/>`
+- :kes-docs:`Thales Digital Identity and Security (formerly Gemalto) <integrations/thales-ciphertrust/>`
 
 MinIO SSE requires enabling :ref:`minio-tls`. 
 
@@ -83,6 +83,77 @@ supports the following encryption strategies:
       SSE-C does not support bucket-default encryption settings and requires
       clients perform all key management operations.
 
+Configuring a KMS for MinIO
+---------------------------
+
+.. cond:: linux
+
+   This procedure provides guidance for deploying MinIO configured to use KES and enable :ref:`Server Side Encryption <minio-sse-data-encryption>`.
+
+   As part of this procedure, you will:
+
+   #. Deploy one or more |KES| servers configured to use a KMS solution.
+      You may optionally deploy a load balancer for managing connections to those KES servers.
+
+   #. Create a new |EK| on for use with |SSE|.
+
+   #. Create or modify a MinIO deployment with support for |SSE| using |KES|.
+      Defer to the :ref:`Deploy Distributed MinIO <minio-mnmd>` tutorial for guidance on production-ready MinIO deployments.
+
+   #. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`
+
+.. cond:: macos or windows
+
+   This procedure assumes a single local host machine running the MinIO and KES processes.
+   As part of this procedure, you will:
+
+   #. Deploy a |KES| server configured to use a KMS solution.
+
+   #. Create a new |EK| on Vault for use with |SSE|.
+
+   #. Deploy a MinIO server in :ref:`Single-Node Single-Drive mode <minio-snsd>` configured to use the |KES| container for supporting |SSE|.
+
+   #. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
+
+   For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with the KMS.
+
+   For production baremetal environments, see the :kes-docs:`KES documentation <>` for tutorials on configuring MinIO with KES and Hashicorp Vault.
+
+.. cond:: container
+
+   This procedure assumes a single host machine running the MinIO and KES containers.
+   As part of this procedure, you will:
+
+   #. Deploy a |KES| container configured to use |rootkms-short| as the root |KMS|.
+
+   #. Create a new |EK| on Vault for use with |SSE|.
+
+   #. Deploy a MinIO Server container in :ref:`Single-Node Single-Drive mode <minio-snsd>` configured to use the |KES| container for supporting |SSE|.
+
+   #. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
+
+   For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
+
+   For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
+
+.. cond:: k8s
+
+   This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation.
+   As part of this procedure, you will:
+
+   #. Use the MinIO Operator Console to create or manage a MinIO Tenant.
+   #. Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using |rootkms-short|.
+   #. Create a new |EK| on Vault for use with |SSE|.
+   #. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
+
+   For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
+
+.. important::
+
+   .. include:: /includes/common/common-minio-kes.rst
+      :start-after: start-kes-encrypted-backend-desc
+      :end-before: end-kes-encrypted-backend-desc
+
 .. toctree::
    :titlesonly:
    :hidden: