minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-08 01:43:18 +03:00
Code Activity

Continuing changes for syncing KES docs and encryption docs

Browse Source
This commit is contained in:
Daryl White
2024-01-18 11:52:32 -05:00
parent 431675e429
commit 42e063b109
1 changed files with 79 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
source/operations/server-side-encryption.rst
View File

@@ -19,20 +19,20 @@ allowing clients to take advantage of server processing power to secure objects
at the storage layer (encryption-at-rest). SSE also provides key functionality at the storage layer (encryption-at-rest). SSE also provides key functionality
to regulatory and compliance requirements around secure locking and erasure. to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) <kes>` and an MinIO SSE uses the :kes-docs:`MinIO Key Encryption Service (KES) <>` and an
external Key Management Service (KMS) for performing secured cryptographic external Key Management Service (KMS) for performing secured cryptographic
operations at scale. MinIO also supports client-managed key management, where operations at scale. MinIO also supports client-managed key management, where
the application takes full responsibility for creating and managing encryption the application takes full responsibility for creating and managing encryption
keys for use with MinIO SSE. keys for use with MinIO SSE.
MinIO supports the following |KMS| as the central key store: MinIO supports the following |KMS| providers as the central key store:
- :ref:`Hashicorp KeyVault <minio-sse-vault>` - :kes-docs:`Azure Key Vault <integrations/azure-keyvault/>`
- :ref:`AWS SecretsManager <minio-sse-aws>` - :kes-docs:`AWS SecretsManager <integrations/aws-secrets-manager/>`
- :ref:`Google Cloud SecretManager <minio-sse-gcp>` - :kes-docs:`Fortanix SDKMS <integrations/fortanix-sdkms/>`
- :ref:`Azure Key Vault <minio-sse-azure>` - :kes-docs:`Google Cloud SecretManager <integrations/google-cloud-secret-manager/>`
- :minio-git:`Fortanix SDKMS <kes/wiki/Fortanix-SDKMS>` - :kes-docs:`Hashicorp KeyVault <integrations/hashicorp-vault-keystore/>`
- :minio-git:`Thales Digital Identity and Security (formerly Gemalto) <kes/wiki/Gemalto-KeySecure>` - :kes-docs:`Thales Digital Identity and Security (formerly Gemalto) <integrations/thales-ciphertrust/>`
MinIO SSE requires enabling :ref:`minio-tls`. MinIO SSE requires enabling :ref:`minio-tls`.
@@ -83,6 +83,77 @@ supports the following encryption strategies:
SSE-C does not support bucket-default encryption settings and requires SSE-C does not support bucket-default encryption settings and requires
clients perform all key management operations. clients perform all key management operations.
Configuring a KMS for MinIO
---------------------------
.. cond:: linux
This procedure provides guidance for deploying MinIO configured to use KES and enable :ref:`Server Side Encryption <minio-sse-data-encryption>`.
As part of this procedure, you will:
#. Deploy one or more |KES| servers configured to use a KMS solution.
You may optionally deploy a load balancer for managing connections to those KES servers.
#. Create a new |EK| on for use with |SSE|.
#. Create or modify a MinIO deployment with support for |SSE| using |KES|.
Defer to the :ref:`Deploy Distributed MinIO <minio-mnmd>` tutorial for guidance on production-ready MinIO deployments.
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`
.. cond:: macos or windows
This procedure assumes a single local host machine running the MinIO and KES processes.
As part of this procedure, you will:
#. Deploy a |KES| server configured to use a KMS solution.
#. Create a new |EK| on Vault for use with |SSE|.
#. Deploy a MinIO server in :ref:`Single-Node Single-Drive mode <minio-snsd>` configured to use the |KES| container for supporting |SSE|.
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with the KMS.
For production baremetal environments, see the :kes-docs:`KES documentation <>` for tutorials on configuring MinIO with KES and Hashicorp Vault.
.. cond:: container
This procedure assumes a single host machine running the MinIO and KES containers.
As part of this procedure, you will:
#. Deploy a |KES| container configured to use |rootkms-short| as the root |KMS|.
#. Create a new |EK| on Vault for use with |SSE|.
#. Deploy a MinIO Server container in :ref:`Single-Node Single-Drive mode <minio-snsd>` configured to use the |KES| container for supporting |SSE|.
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
.. cond:: k8s
This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation.
As part of this procedure, you will:
#. Use the MinIO Operator Console to create or manage a MinIO Tenant.
#. Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using |rootkms-short|.
#. Create a new |EK| on Vault for use with |SSE|.
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
.. toctree:: .. toctree::
:titlesonly: :titlesonly:
:hidden: :hidden: