minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

Updates for mc RELEASE.2024-06-20T14-50-54Z (#1279)

Browse Source 
Updates for mc release 2024-06-20T14-50-54Z
    
- Adds info about requiring Raw Base64 or Hex keys
- Updates links for KES docs on encryption pages
- Updates encryption pages to use ventilated prose (one sentence per
line)
- Adds new flag for `mc get`
- Updates `mc put` with enc-# flags
    
Closes #1253
This commit is contained in:
Daryl White
2024-07-25 12:31:28 -04:00
committed by GitHub
parent cb658261c8
commit 848b5b7d34
6 changed files with 136 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/administration/server-side-encryption.rst
View File

@ -18,7 +18,7 @@ Server-Side Encryption of Objects
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest).
SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure. SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) <kes>` and an external Key Management Service (KMS) for performing secured cryptographic operations at scale. MinIO SSE uses the :kes-docs:`MinIO Key Encryption Service (KES) <>` and an external Key Management Service (KMS) for performing secured cryptographic operations at scale.
MinIO also supports client-managed key management, where the application takes full responsibility for creating and managing encryption keys for use with MinIO SSE. MinIO also supports client-managed key management, where the application takes full responsibility for creating and managing encryption keys for use with MinIO SSE.
MinIO SSE is feature and API compatible with :s3-docs:`AWS Server-Side Encryption <server-side-encryption.html>` and supports the following encryption strategies: MinIO SSE is feature and API compatible with :s3-docs:`AWS Server-Side Encryption <server-side-encryption.html>` and supports the following encryption strategies:

34
source/administration/server-side-encryption/server-side-encryption-sse-c.rst
View File

@ -76,35 +76,34 @@ Encrypting an object using SSE-C prevents MinIO from applying
Quickstart Quickstart
---------- ----------
MinIO SSE-C requires the client to perform all key creation and storage MinIO SSE-C requires the client to perform all key creation and storage operations.
operations.
This procedure uses :mc:`mc` for performing operations on the source MinIO This procedure uses :mc:`mc` for performing operations on the source MinIO deployment.
deployment. Install :mc:`mc` on a machine with network access to the source Install :mc:`mc` on a machine with network access to the source deployment.
deployment. See the ``mc`` :ref:`Installation Quickstart <mc-install>` for See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on downloading and installing ``mc``.
instructions on downloading and installing ``mc``.
The SSE-C key *must* be a 256-bit base64-encoded string. The client The SSE-C key *must* be a 256-bit raw encoded string or a hex encoded string.
application is responsible for generation and storage of the encryption key. The client application is responsible for generation and storage of the encryption key.
MinIO does *not* store SSE-C encryption keys and cannot decrypt SSE-C MinIO does *not* store SSE-C encryption keys and cannot decrypt SSE-C encrypted objects without the client-managed key.
encrypted objects without the client-managed key.
.. note::
Support for hex encoded keys was added in MinIO Client ``RELEASE.2024-06-20T14-50-54Z``.
1) Generate the Encryption Key 1) Generate the Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Generate the 256-bit base64-encoded string for use as the encryption key. Generate the 256-bit base64 raw encoded string or a hex encoded string for use as the encryption key.
The following example generates a string that meets the encryption key The following example generates a string that meets the encryption key requirements.
requirements. The resulting string is appropriate for non-production The resulting string is appropriate for non-production environments:
environments:
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
cat /dev/urandom | head -c 32 | base64 - cat /dev/urandom | head -c 32 | base64 -
Defer to your organizations requirements for generating cryptographically Defer to your organizations requirements for generating cryptographically secure encryption keys.
secure encryption keys.
Copy the encryption key for use in the next step. Copy the encryption key for use in the next step.
@ -117,8 +116,7 @@ MinIO supports the following AWS S3 headers for specifying SSE-C encryption:
- ``X-Amz-Server-Side-Encryption-Customer-Key`` set to the encryption key value. - ``X-Amz-Server-Side-Encryption-Customer-Key`` set to the encryption key value.
- ``X-Amz-Server-Side-Encryption-Customer-Key-MD5`` to the 128-bit MD5 digest of - ``X-Amz-Server-Side-Encryption-Customer-Key-MD5`` to the 128-bit MD5 digest of the encryption key.
the encryption key.
The MinIO :mc:`mc` commandline tool S3-compatible SDKs include specific syntax The MinIO :mc:`mc` commandline tool S3-compatible SDKs include specific syntax
for setting headers. Certain :mc:`mc` commands like :mc:`mc cp` include specific for setting headers. Certain :mc:`mc` commands like :mc:`mc cp` include specific

103
source/administration/server-side-encryption/server-side-encryption-sse-kms.rst
View File

@ -18,25 +18,17 @@ Server-Side Encryption with Per-Bucket Keys (SSE-KMS)
.. |KMS| replace:: :abbr:`KMS (Key Management Service)` .. |KMS| replace:: :abbr:`KMS (Key Management Service)`
.. |KES| replace:: :abbr:`KES (Key Encryption Service)` .. |KES| replace:: :abbr:`KES (Key Encryption Service)`
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest).
allowing clients to take advantage of server processing power to secure objects SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
at the storage layer (encryption-at-rest). SSE also provides key functionality
to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) <kes>` and an MinIO SSE uses the :kes-docs:`MinIO Key Encryption Service (KES) <>` and a :kes-docs:`supported external Key Management Service (KMS) <#supported-kms-targets>` for performing secured cryptographic operations at scale.
external Key Management Service (KMS) for performing secured cryptographic MinIO also supports client-managed key management, where the application takes full responsibility for creating and managing encryption keys for use with MinIO SSE.
operations at scale. MinIO also supports client-managed key management, where
the application takes full responsibility for creating and managing encryption
keys for use with MinIO SSE.
MinIO SSE-KMS en/decrypts objects using an External Key (EK) managed by a Key MinIO SSE-KMS encrypts or decrypts objects using an External Key (EK) managed by a Key Management System (KMS).
Management System (KMS). Each bucket and object can have a separate |EK|, Each bucket and object can have a separate |EK|, supporting more granular cryptographic operations in the deployment.
supporting more granular cryptographic operations in the deployment. MinIO can MinIO can only decrypt an object if it can access both the KMS *and* the |EK| used to encrypt that object.
only decrypt an object if it can access both the KMS *and* the |EK| used to
encrypt that object.
You can enable bucket-default SSE-KMS encryption using the You can enable bucket-default SSE-KMS encryption using the :mc:`mc encrypt set` command:
:mc:`mc encrypt set` command:
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
@ -95,20 +87,15 @@ This procedure requires the following components:
instructions on downloading and installing ``mc``. instructions on downloading and installing ``mc``.
- Install :minio-git:`MinIO Key Encryption Service (KES) <kes>` on a machine - Install :kes-docs:`MinIO Key Encryption Service (KES) <>` on a machine with internet access.
with internet access. See the ``kes`` See the ``kes`` :kes-docs:`Getting Started <tutorials/getting-started/>` guide for instructions on downloading, installing, and configuring KES.
:minio-git:`Getting Started <kes/wiki/Getting-Started>` guide for
instructions on downloading, installing, and configuring KES.
1) Create an Encryption Key for SSE-KMS Encryption 1) Create an Encryption Key for SSE-KMS Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :minio-git:`kes <kes>` commandline tool to create a new External Key Use the :kes-docs:`kes <cli/>` command line tool to create a new External Key (EK) for use with SSE-KMS Encryption.
(EK) for use with SSE-KMS Encryption.
Issue the following command to retrieve the root The following command retrieves the root :kes-docs:`identity <concepts/#authorization>` for the ``play`` KES server:
:minio-git:`identity <kes/wiki/Configuration#policy-configuration>` for the KES
server:
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
@ -131,31 +118,23 @@ Set the following environment variables in the terminal or shell:
:width: 100% :width: 100%
* - ``KES_CLIENT_KEY`` * - ``KES_CLIENT_KEY``
- The private key for an :minio-git:`identity - The private key for an :kes-docs:`identity <concepts/#authorization>` on the KES server.
<kes/wiki/Configuration#policy-configuration>` on the KES server. The identity must grant access to at minimum the ``/v1/create``, ``/v1/generate``, and ``/v1/list`` :kes-docs:`API endpoints <concepts/server-api/>`.
The identity must grant access to at minimum the ``/v1/create``, This step uses the ``root`` identity for the MinIO ``play`` KES sandbox, which provides access to all operations on the KES server.
``/v1/generate``, and ``/v1/list`` :minio-git:`API endpoints
<kes/wiki/Server-API#api-overview>`. This step uses the root
identity for the MinIO ``play`` KES sandbox, which provides access
to all operations on the KES server.
* - ``KES_CLIENT_CERT`` * - ``KES_CLIENT_CERT``
- The corresponding certificate for the :minio-git:`identity - The corresponding certificate for the :kes-docs:`identity <concepts/#authorization>` on the KES server.
<kes/wiki/Configuration#policy-configuration>` on the KES server. This step uses the ``root`` identity for the MinIO ``play`` KES sandbox, which provides access to all operations on the KES server.
This step uses the root identity for the MinIO ``play`` KES
sandbox, which provides access to all operations on the KES server.
Issue the following command to create a new |EK| through The following command creates a new |EK| through KES.
KES.
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
kes key create my-minio-sse-kms-key kes key create my-minio-sse-kms-key
This tutorial uses the example ``my-minio-sse-kms-key`` name for ease of This tutorial uses the example ``my-minio-sse-kms-key`` name for ease of reference.
reference. Specify a unique key name to prevent collision Specify a unique key name to prevent collision with existing keys.
with existing keys.
2) Configure MinIO for SSE-KMS Object Encryption 2) Configure MinIO for SSE-KMS Object Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -179,26 +158,19 @@ MinIO server host in the deployment:
- The endpoint for the MinIO ``Play`` KES service. - The endpoint for the MinIO ``Play`` KES service.
* - :envvar:`MINIO_KMS_KES_KEY_FILE` * - :envvar:`MINIO_KMS_KES_KEY_FILE`
- The private key file corresponding to an - The private key file corresponding to an :kes-docs:`identity <concepts/#authorization>` on the KES service.
:minio-git:`identity <kes/wiki/Configuration#policy-configuration>` The identity must grant permission to create, generate, and decrypt keys.
on the KES service. The identity must grant permission to Specify the same identity key file as the ``KES_KEY_FILE`` environment variable in the previous step.
create, generate, and decrypt keys. Specify the same
identity key file as the ``KES_KEY_FILE`` environment variable
in the previous step.
* - :envvar:`MINIO_KMS_KES_CERT_FILE` * - :envvar:`MINIO_KMS_KES_CERT_FILE`
- The public certificate file corresponding to an - The public certificate file corresponding to an :kes-docs:`identity <concepts/#authorization>` on the KES service.
:minio-git:`identity <kes/wiki/Configuration#policy-configuration>` The identity must grant permission to create, generate, and decrypt keys.
on the KES service. The identity must grant permission to Specify the same identity certificate as the ``KES_CERT_FILE`` environment variable in the previous step.
create, generate, and decrypt keys. Specify the same
identity certificate as the ``KES_CERT_FILE`` environment
variable in the previous step.
* - :envvar:`MINIO_KMS_KES_KEY_NAME` * - :envvar:`MINIO_KMS_KES_KEY_NAME`
- The name of the External Key (EK) to use for - The name of the External Key (EK) to use for performing SSE encryption operations.
performing SSE encryption operations. KES retrieves the |EK| from KES retrieves the |EK| from the configured Key Management Service (KMS).
the configured Key Management Service (KMS). Specify the name of the Specify the name of the key created in the previous step.
key created in the previous step.
3) Restart the MinIO Deployment to Enable SSE-KMS 3) Restart the MinIO Deployment to Enable SSE-KMS
@ -212,14 +184,12 @@ Use the :mc-cmd:`mc admin service restart` command to restart the deployment.
mc admin service restart ALIAS mc admin service restart ALIAS
Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to restart.
restart.
4) Configure Automatic Bucket Encryption 4) Configure Automatic Bucket Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc:`mc encrypt set` command to enable automatic SSE-KMS protection Use the :mc:`mc encrypt set` command to enable automatic SSE-KMS protection of all objects written to a specific bucket.
of all objects written to a specific bucket.
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
@ -232,12 +202,10 @@ of all objects written to a specific bucket.
- Replace :mc-cmd:`BUCKET <mc encrypt set ALIAS>` with the full path to the - Replace :mc-cmd:`BUCKET <mc encrypt set ALIAS>` with the full path to the
bucket or bucket prefix on which you want to enable automatic SSE-KMS. bucket or bucket prefix on which you want to enable automatic SSE-KMS.
Objects written to the specified bucket are automatically encrypted using Objects written to the specified bucket are automatically encrypted using the specified |EK|.
the specified |EK|
Repeat this step for each bucket on which you want to enable automatic Repeat this step for each bucket on which you want to enable automatic SSE-KMS encryption.
SSE-KMS encryption. You can generate additional keys per bucket or bucket You can generate additional keys per bucket or bucket prefix, such that the scope of each |EK| is limited to a subset of objects.
prefix, such that the scope of each |EK| is limited to a subset of objects.
.. _minio-encryption-sse-kms-erasure-locking: .. _minio-encryption-sse-kms-erasure-locking:
@ -261,8 +229,7 @@ The scope of a single |EK| depends on:
- Which buckets specified that |EK| for automatic SSE-KMS encryption, - Which buckets specified that |EK| for automatic SSE-KMS encryption,
*and* *and*
- Which write operations specified that |EK| when requesting SSE-KMS - Which write operations specified that |EK| when requesting SSE-KMS encryption.
encryption.
For example, consider a MinIO deployment using one |EK| per bucket. For example, consider a MinIO deployment using one |EK| per bucket.
Disabling a single |EK| renders all objects in the associated bucket Disabling a single |EK| renders all objects in the associated bucket

79
source/administration/server-side-encryption/server-side-encryption-sse-s3.rst
View File

@ -23,7 +23,7 @@ allowing clients to take advantage of server processing power to secure objects
at the storage layer (encryption-at-rest). SSE also provides key functionality at the storage layer (encryption-at-rest). SSE also provides key functionality
to regulatory and compliance requirements around secure locking and erasure. to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) <kes>` and an MinIO SSE uses the :kes-docs:`MinIO Key Encryption Service (KES) <>` and an
external Key Management Service (KMS) for performing secured cryptographic external Key Management Service (KMS) for performing secured cryptographic
operations at scale. MinIO also supports client-managed key management, where operations at scale. MinIO also supports client-managed key management, where
the application takes full responsibility for creating and managing encryption the application takes full responsibility for creating and managing encryption
@ -34,8 +34,7 @@ Key Management System (KMS). You must specify the |EK| using the
:envvar:`MINIO_KMS_KES_KEY_NAME` environment variable when starting up the :envvar:`MINIO_KMS_KES_KEY_NAME` environment variable when starting up the
MinIO server. MinIO uses the same EK for *all* SSE-S3 cryptographic operations. MinIO server. MinIO uses the same EK for *all* SSE-S3 cryptographic operations.
You can enable bucket-default SSE-S3 encryption using the You can enable bucket-default SSE-S3 encryption using the :mc:`mc encrypt set` command:
:mc:`mc encrypt set` command:
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
@ -45,16 +44,15 @@ You can enable bucket-default SSE-S3 encryption using the
- Replace ``play/mybucket`` with the :mc:`alias <mc alias>` and bucket - Replace ``play/mybucket`` with the :mc:`alias <mc alias>` and bucket
on which you want to enable automatic SSE-KMS encryption. on which you want to enable automatic SSE-KMS encryption.
MinIO SSE-S3 is functionally compatible with AWS S3 MinIO SSE-S3 is functionally compatible with AWS S3 :s3-docs:`Server-Side Encryption with Amazon S3-Managed Keys <UsingServerSideEncryption.html>` while expanding support to include the following KMS providers:
:s3-docs:`Server-Side Encryption with Amazon S3-Managed Keys
<UsingServerSideEncryption.html>` while expanding support to include the
following KMS providers:
- :ref:`AWS SecretsManager <minio-sse-aws>` - :kes-docs:`AWS Secrets Manager <integrations/aws-secrets-manager/>`
- :ref:`Google Cloud SecretManager <minio-sse-gcp>` - :kes-docs:`Azure KeyVault <integrations/azure-keyvault/>`
- :ref:`Azure Key Vault <minio-sse-azure>` - :kes-docs:`Entrust KeyControl <integrations/entrust-keycontrol/>`
- :ref:`HashiCorp KeyVault <minio-sse-vault>` - :kes-docs:`Fortanix SDKMS <integrations/fortanix-sdkms/>`
- Thales CipherTrust (formerly Gemalto KeySecure) - :kes-docs:`Google Cloud Secret Manager <integrations/google-cloud-secret-manager/>`
- :kes-docs:`HashiCorp Vault <integrations/hashicorp-vault-keystore/>`
- :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) <integrations/thales-ciphertrust/>`
.. _minio-encryption-sse-s3-quickstart: .. _minio-encryption-sse-s3-quickstart:
@ -73,11 +71,13 @@ supporting |SSE| with SSE-S3 in evaluation and early development environments.
For extended development or production environments, use one of the following For extended development or production environments, use one of the following
supported external Key Management Services (KMS): supported external Key Management Services (KMS):
- :ref:`AWS SecretsManager <minio-sse-aws>` - :kes-docs:`AWS Secrets Manager <integrations/aws-secrets-manager/>`
- :ref:`Google Cloud SecretManager <minio-sse-gcp>` - :kes-docs:`Azure KeyVault <integrations/azure-keyvault/>`
- :ref:`Azure Key Vault <minio-sse-azure>` - :kes-docs:`Entrust KeyControl <integrations/entrust-keycontrol/>`
- :ref:`HashiCorp KeyVault <minio-sse-vault>` - :kes-docs:`Fortanix SDKMS <integrations/fortanix-sdkms/>`
- Thales CipherTrust (formerly Gemalto KeySecure) - :kes-docs:`Google Cloud Secret Manager <integrations/google-cloud-secret-manager/>`
- :kes-docs:`HashiCorp Vault <integrations/hashicorp-vault-keystore/>`
- :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) <integrations/thales-ciphertrust/>`
.. include:: /includes/common/common-minio-kes.rst .. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-play-sandbox-warning :start-after: start-kes-play-sandbox-warning
@ -85,26 +85,19 @@ supported external Key Management Services (KMS):
This procedure requires the following components: This procedure requires the following components:
- Install :mc:`mc` on a machine with network access to the source - Install :mc:`mc` on a machine with network access to the source deployment.
deployment. See the ``mc`` :ref:`Installation Quickstart <mc-install>` for See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on downloading and installing ``mc``.
instructions on downloading and installing ``mc``.
- Install :kes-docs:`MinIO Key Encryption Service (KES) <>` on a machine with internet access.
- Install :minio-git:`MinIO Key Encryption Service (KES) <kes>` on a machine See the KES :kes-docs:`Getting Started <tutorials/getting-started/>` guide for instructions on downloading, installing, and configuring KES.
with internet access. See the ``kes``
:minio-git:`Getting Started <kes/wiki/Getting-Started>` guide for
instructions on downloading, installing, and configuring KES.
1) Create an Encryption Key for SSE-S3 Encryption 1) Create an Encryption Key for SSE-S3 Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :minio-git:`kes <kes>` commandline tool to create a new External Key Use the :kes-docs:`kes <cli>` command line tool to create a new External Key (EK) for use with SSE-S3 Encryption.
(EK) for use with SSE-S3 Encryption.
Issue the following command to retrieve the root The following command retrieves the root :minio-git:`identity <kes/wiki/Configuration#policy-configuration>` for the KES server connected to the KES ``play`` sandbox:
:minio-git:`identity <kes/wiki/Configuration#policy-configuration>` for the KES
server:
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
@ -127,30 +120,23 @@ Set the following environment variables in the terminal or shell:
:width: 100% :width: 100%
* - ``KES_CLIENT_KEY`` * - ``KES_CLIENT_KEY``
- The private key for an :minio-git:`identity - The private key for an :kes-docs:`identity <concepts/#authorization>` on the KES server.
<kes/wiki/Configuration#policy-configuration>` on the KES server. The identity must grant access to at minimum the ``/v1/create``, ``/v1/generate``, and ``/v1/list`` :kes-docs:`API endpoints <concepts/server-api/>`.
The identity must grant access to at minimum the ``/v1/create``, This step uses the ``root`` identity for the MinIO ``play`` KES sandbox, which provides access to all operations on the KES server.
``/v1/generate``, and ``/v1/list`` :minio-git:`API endpoints
<kes/wiki/Server-API#api-overview>`. This step uses the root
identity for the MinIO ``play`` KES sandbox, which provides access
to all operations on the KES server.
* - ``KES_CLIENT_CERT`` * - ``KES_CLIENT_CERT``
- The corresponding certificate for the :minio-git:`identity - The corresponding certificate for the :kes-docs:`identity <concepts/#authorization>` on the KES server.
<kes/wiki/Configuration#policy-configuration>` on the KES server. This step uses the ``root`` identity for the MinIO ``play`` KES sandbox, which provides access to all operations on the KES server.
This step uses the root identity for the MinIO ``play`` KES
sandbox, which provides access to all operations on the KES server.
Issue the following command to create a new |EK| through The following command creates a new |EK| through the :kes-docs:`KES CLI <cli/kes-key/create/>`:
KES:
.. code-block:: shell .. code-block:: shell
:class: copyable :class: copyable
kes key create my-minio-sse-s3-key kes key create my-minio-sse-s3-key
This tutorial uses the example ``my-minio-sse-s3-key`` name for ease of This tutorial uses the example ``my-minio-sse-s3-key`` name for ease of reference.
reference. Specify a unique key name to prevent collision with existing keys. Specify a unique key name to prevent collision with existing keys.
2) Configure MinIO for SSE-S3 Object Encryption 2) Configure MinIO for SSE-S3 Object Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -206,8 +192,7 @@ Use the :mc-cmd:`mc admin service restart` command to restart the deployment.
mc admin service restart ALIAS mc admin service restart ALIAS
Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to restart.
restart.
4) Configure Automatic Bucket Encryption 4) Configure Automatic Bucket Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

45
source/reference/minio-mc/mc-get.rst
View File

@ -46,8 +46,8 @@ The :mc:`mc get` command downloads an object from a target S3 deployment to the
mc [GLOBALFLAGS] get \ mc [GLOBALFLAGS] get \
SOURCE \ SOURCE \
TARGET \ TARGET \
[--encrypt-key value] \ [--enc-c value]
[--encrypt value] [--version-id, --vid value]
.. include:: /includes/common-minio-mc.rst .. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax :start-after: start-minio-syntax
@ -66,23 +66,19 @@ Parameters
The destination path on the local file system where the command should place the downloaded file. The destination path on the local file system where the command should place the downloaded file.
.. mc-cmd:: --encrypt .. mc-cmd:: --enc-c
:optional: :optional:
Specify the key to use for decrypting and encrypting the downloaded object. Encrypt or decrypt objects using client provided keys.
Repeat the flag to pass multiple keys.
Requires that you also specify the key to use with the :mc-cmd:`~mc put --encrypt-key` flag. Keys must be in either Raw Base64 or Hex format.
Alternatively, set the :envvar:`MC_ENCRYPT` environment variable. .. mc-cmd:: --version-id, --vid
.. mc-cmd:: --encrypt-key
:optional: :optional:
Specify the key to use for decrypting and encrypting the downloaded object. Retrieve a specific version of the object.
Pass the version ID of the object to retrieve.
Requires that you also pass the :mc-cmd:`~mc put --encrypt` flag set to ``TRUE``.
Alternatively, set the :envvar:`MC_ENCRYPT_KEY` environment variable.
Global Flags Global Flags
~~~~~~~~~~~~ ~~~~~~~~~~~~
@ -90,3 +86,26 @@ Global Flags
.. include:: /includes/common-minio-mc.rst .. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals :start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals :end-before: end-minio-mc-globals
Examples
--------
Retrieve an object from MinIO to the local file system
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following command retrieves the file ``myobject.csv`` from the bucket ``mybucket`` at the alias ``myminio`` and places it on the local file system at the path ``/my/local/folder``.
.. code-block:: shell
:class: copyable
mc get myminio/mybucket/myobject.csv /my/local/folder
Retrieve an encrypted object from MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following command retrieves an encrypted file and places it at a local folder path.
.. code-block:: shell
:class: copyable
mc get --enc-c "play/mybucket/object=MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDA" play/mybucket/object path-to/object

32
source/reference/minio-mc/mc-put.rst
View File

@ -46,8 +46,10 @@ The :mc:`mc put` uploads an object from the local file system to a bucket on a t
mc [GLOBALFLAGS] put \ mc [GLOBALFLAGS] put \
TARGET \ TARGET \
[--encrypt-key value] \ [--enc-c value] \
[--encrypt value] \ [--enc-kms value] \
[--enc-s3 value] \
[--if-not-exists] \
[--parallel, -P integer] \ [--parallel, -P integer] \
[--part-size, -s string] [--part-size, -s string]
@ -74,23 +76,29 @@ Parameters
- ``ALIAS/BUCKET/OBJECT-NAME`` - ``ALIAS/BUCKET/OBJECT-NAME``
- ``ALIAS/BUCKET/PREFIX/OBJECT-NAME`` - ``ALIAS/BUCKET/PREFIX/OBJECT-NAME``
.. mc-cmd:: --encrypt .. mc-cmd:: --enc-c
:optional: :optional:
Specify the key to use for decrypting and encrypting the uploaded object. Encrypt or decrypt objects using client provided keys.
Repeat the flag to pass multiple keys.
Requires that you also specify the key to use with the :mc-cmd:`~mc put --encrypt-key` flag. Keys must be in either Raw Base64 or Hex format.
Alternatively, set the :envvar:`MC_ENCRYPT` environment variable. .. mc-cmd:: --enc-kms
.. mc-cmd:: --encrypt-key
:optional: :optional:
Specify the key to use for decrypting and encrypting the uploaded object.
Requires that you also pass the :mc-cmd:`~mc put --encrypt` flag set to ``TRUE``. Encrypt or decrypt objects using specific server-side keys.
Repeat the flag to pass multiple keys.
Alternatively, set the :envvar:`MC_ENCRYPT_KEY` environment variable. Defaults to the value in the ``MC_ENC_KMS`` environment variable.
.. mc-cmd:: --enc-s3
:optional:
Encrypt or decrypt objects using default server-side keys and configurations.
Repeat the flag to pass multiple keys.
Defaults to the value in the ``MC_ENC_S3`` environment variable.
.. mc-cmd:: --parallel, --P .. mc-cmd:: --parallel, --P
:optional: :optional: