mirror of
https://github.com/minio/docs.git
synced 2025-08-08 01:43:18 +03:00
Continuing changes for syncing KES docs and encryption docs
This commit is contained in:
Daryl White
@@ -19,20 +19,20 @@ allowing clients to take advantage of server processing power to secure objects
|
||||
at the storage layer (encryption-at-rest). SSE also provides key functionality
|
||||
to regulatory and compliance requirements around secure locking and erasure.
|
||||
|
||||
MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) <kes>` and an
|
||||
MinIO SSE uses the :kes-docs:`MinIO Key Encryption Service (KES) <>` and an
|
||||
external Key Management Service (KMS) for performing secured cryptographic
|
||||
operations at scale. MinIO also supports client-managed key management, where
|
||||
the application takes full responsibility for creating and managing encryption
|
||||
keys for use with MinIO SSE.
|
||||
|
||||
MinIO supports the following |KMS| as the central key store:
|
||||
MinIO supports the following |KMS| providers as the central key store:
|
||||
|
||||
- :ref:`Hashicorp KeyVault <minio-sse-vault>`
|
||||
- :ref:`AWS SecretsManager <minio-sse-aws>`
|
||||
- :ref:`Google Cloud SecretManager <minio-sse-gcp>`
|
||||
- :ref:`Azure Key Vault <minio-sse-azure>`
|
||||
- :minio-git:`Fortanix SDKMS <kes/wiki/Fortanix-SDKMS>`
|
||||
- :minio-git:`Thales Digital Identity and Security (formerly Gemalto) <kes/wiki/Gemalto-KeySecure>`
|
||||
- :kes-docs:`Azure Key Vault <integrations/azure-keyvault/>`
|
||||
- :kes-docs:`AWS SecretsManager <integrations/aws-secrets-manager/>`
|
||||
- :kes-docs:`Fortanix SDKMS <integrations/fortanix-sdkms/>`
|
||||
- :kes-docs:`Google Cloud SecretManager <integrations/google-cloud-secret-manager/>`
|
||||
- :kes-docs:`Hashicorp KeyVault <integrations/hashicorp-vault-keystore/>`
|
||||
- :kes-docs:`Thales Digital Identity and Security (formerly Gemalto) <integrations/thales-ciphertrust/>`
|
||||
|
||||
MinIO SSE requires enabling :ref:`minio-tls`.
|
||||
|
||||
@@ -83,6 +83,77 @@ supports the following encryption strategies:
|
||||
SSE-C does not support bucket-default encryption settings and requires
|
||||
clients perform all key management operations.
|
||||
|
||||
Configuring a KMS for MinIO
|
||||
---------------------------
|
||||
|
||||
.. cond:: linux
|
||||
|
||||
This procedure provides guidance for deploying MinIO configured to use KES and enable :ref:`Server Side Encryption <minio-sse-data-encryption>`.
|
||||
|
||||
As part of this procedure, you will:
|
||||
|
||||
#. Deploy one or more |KES| servers configured to use a KMS solution.
|
||||
You may optionally deploy a load balancer for managing connections to those KES servers.
|
||||
|
||||
#. Create a new |EK| on for use with |SSE|.
|
||||
|
||||
#. Create or modify a MinIO deployment with support for |SSE| using |KES|.
|
||||
Defer to the :ref:`Deploy Distributed MinIO <minio-mnmd>` tutorial for guidance on production-ready MinIO deployments.
|
||||
|
||||
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`
|
||||
|
||||
.. cond:: macos or windows
|
||||
|
||||
This procedure assumes a single local host machine running the MinIO and KES processes.
|
||||
As part of this procedure, you will:
|
||||
|
||||
#. Deploy a |KES| server configured to use a KMS solution.
|
||||
|
||||
#. Create a new |EK| on Vault for use with |SSE|.
|
||||
|
||||
#. Deploy a MinIO server in :ref:`Single-Node Single-Drive mode <minio-snsd>` configured to use the |KES| container for supporting |SSE|.
|
||||
|
||||
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
|
||||
|
||||
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with the KMS.
|
||||
|
||||
For production baremetal environments, see the :kes-docs:`KES documentation <>` for tutorials on configuring MinIO with KES and Hashicorp Vault.
|
||||
|
||||
.. cond:: container
|
||||
|
||||
This procedure assumes a single host machine running the MinIO and KES containers.
|
||||
As part of this procedure, you will:
|
||||
|
||||
#. Deploy a |KES| container configured to use |rootkms-short| as the root |KMS|.
|
||||
|
||||
#. Create a new |EK| on Vault for use with |SSE|.
|
||||
|
||||
#. Deploy a MinIO Server container in :ref:`Single-Node Single-Drive mode <minio-snsd>` configured to use the |KES| container for supporting |SSE|.
|
||||
|
||||
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
|
||||
|
||||
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
|
||||
|
||||
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
|
||||
|
||||
.. cond:: k8s
|
||||
|
||||
This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation.
|
||||
As part of this procedure, you will:
|
||||
|
||||
#. Use the MinIO Operator Console to create or manage a MinIO Tenant.
|
||||
#. Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using |rootkms-short|.
|
||||
#. Create a new |EK| on Vault for use with |SSE|.
|
||||
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
|
||||
|
||||
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
|
||||
|
||||
.. important::
|
||||
|
||||
.. include:: /includes/common/common-minio-kes.rst
|
||||
:start-after: start-kes-encrypted-backend-desc
|
||||
:end-before: end-kes-encrypted-backend-desc
|
||||
|
||||
.. toctree::
|
||||
:titlesonly:
|
||||
:hidden:
|
||||
|
||||
Reference in New Issue
Block a user