diff --git a/source/administration/identity-access-management/policy-based-access-control.rst b/source/administration/identity-access-management/policy-based-access-control.rst index 36351b9c..fd1e6241 100644 --- a/source/administration/identity-access-management/policy-based-access-control.rst +++ b/source/administration/identity-access-management/policy-based-access-control.rst @@ -28,7 +28,7 @@ Tag-Based Policy Conditions .. versionchanged:: RELEASE.2022-10-02T19-29-29Z - Policies can use conditions to limit a user's access only to objects with a :ref:`specific tag `. + Policies can use conditions to limit a user's access only to objects with a specific tag. MinIO supports :s3-docs:`tag-based conditionals ` for policies for :ref:`selected actions `. Use the ``s3:ExistingObjectTag/`` in the ``Condition`` statement of the policy. @@ -156,11 +156,11 @@ Policy Document Structure MinIO policy documents use the same schema as :aws-docs:`AWS IAM Policy ` documents. -The following sample document provides a template for creating custom policies for use with a MinIO deployment. -For more complete documentation on IAM policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference `. - -The maximum size for any single policy document is 20KiB. -There is no limit to the number of policy documents that can be attached to a user or group. +The following sample document provides a template for creating custom +policies for use with a MinIO deployment. For more complete documentation on IAM +policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference +`. +The maximum size for a policy document is 2048 characters. .. code-block:: javascript :class: copyable diff --git a/source/administration/object-management.rst b/source/administration/object-management.rst index 640a3267..0ff70f1b 100644 --- a/source/administration/object-management.rst +++ b/source/administration/object-management.rst @@ -162,19 +162,6 @@ The specific client behavior on write, list, get, or delete operations on a buck See :ref:`minio-bucket-versioning` for more complete documentation. -.. _minio-object-tagging: - -Object Tagging --------------- - -MinIO supports adding custom tags to an object. -A tag is a key-value pair included in the metadata of an object. -Tags can be used to control access with policies or locate an object with :mc-cmd:`mc find --tags`. - -MinIO supports adding up to 10 custom tags to an object. - -For more on setting tags, refer to :mc:`mc tag set`. - Object Retention ---------------- diff --git a/source/administration/server-side-encryption.rst b/source/administration/server-side-encryption.rst index 47ff1f11..3489ba26 100644 --- a/source/administration/server-side-encryption.rst +++ b/source/administration/server-side-encryption.rst @@ -15,36 +15,46 @@ Server-Side Encryption of Objects .. |SSE| replace:: :abbr:`SSE (Server-Side Encryption)` .. |KMS| replace:: :abbr:`KMS (Key Management System)` -MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). -SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure. +MinIO Server-Side Encryption (SSE) protects objects as part of write operations, +allowing clients to take advantage of server processing power to secure objects +at the storage layer (encryption-at-rest). SSE also provides key functionality +to regulatory and compliance requirements around secure locking and erasure. -MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) ` and an external Key Management Service (KMS) for performing secured cryptographic operations at scale. -MinIO also supports client-managed key management, where the application takes full responsibility for creating and managing encryption keys for use with MinIO SSE. +MinIO SSE uses the :minio-git:`MinIO Key Encryption Service (KES) ` and an +external Key Management Service (KMS) for performing secured cryptographic +operations at scale. MinIO also supports client-managed key management, where +the application takes full responsibility for creating and managing encryption +keys for use with MinIO SSE. -MinIO SSE is feature and API compatible with :s3-docs:`AWS Server-Side Encryption ` and supports the following encryption strategies: +MinIO SSE is feature and API compatible with +:s3-docs:`AWS Server-Side Encryption ` and +supports the following encryption strategies: .. tab-set:: .. tab-item:: SSE-KMS *Recommended* :sync: sse-kms - MinIO supports enabling automatic SSE-KMS encryption of all objects written to a bucket using a specific External Key (EK) stored on the external |KMS|. - Clients can override the bucket-default |EK| by specifying an explicit key as part of the write operation. + MinIO supports enabling automatic SSE-KMS encryption of all objects + written to a bucket using a specific External Key (EK) stored on the + external |KMS|. Clients can override the bucket-default |EK| by specifying + an explicit key as part of the write operation. - For buckets without automatic SSE-KMS encryption, clients can specify an |EK| as part of the write operation instead. + For buckets without automatic SSE-KMS encryption, clients can specify + an |EK| as part of the write operation instead. - SSE-KMS provides more granular and customizable encryption compared to SSE-S3 and SSE-C and is recommended over the other supported encryption methods. + SSE-KMS provides more granular and customizable encryption compared to + SSE-S3 and SSE-C and is recommended over the other supported encryption + methods. - For a tutorial on enabling SSE-KMS in a local (non-production) MinIO Deployment, see :ref:`minio-encryption-sse-kms-quickstart`. - For production MinIO deployments, use one of the following guides: + For a tutorial on enabling SSE-KMS in a local (non-production) MinIO + Deployment, see :ref:`minio-encryption-sse-kms-quickstart`. For + production MinIO deployments, use one of the following guides: - - :kes-docs:`AWS Secrets Manager ` - - :kes-docs:`Azure Key Vault ` - - :kes-docs:`Entrust KeyControl ` - - :kes-docs:`Fortanix SDKMS ` - - :kes-docs:`Google Cloud Secret Manager ` - - :kes-docs:`Hashicorp Vault Keystore ` - - :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) ` + - :ref:`AWS SecretsManager ` + - :ref:`Google Cloud SecretManager ` + - :ref:`Azure Key Vault ` + - :ref:`Hashicorp KeyVault ` .. tab-item:: SSE-S3 :sync: sse-s3 @@ -60,13 +70,10 @@ MinIO SSE is feature and API compatible with :s3-docs:`AWS Server-Side Encryptio Deployment, see :ref:`minio-encryption-sse-s3-quickstart`. For production MinIO deployments, use one of the following guides: - - :kes-docs:`AWS Secrets Manager ` - - :kes-docs:`Azure Key Vault ` - - :kes-docs:`Entrust KeyControl ` - - :kes-docs:`Fortanix SDKMS ` - - :kes-docs:`Google Cloud Secret Manager ` - - :kes-docs:`Hashicorp Vault Keystore ` - - :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) ` + - :ref:`AWS SecretsManager ` + - :ref:`Google Cloud SecretManager ` + - :ref:`Azure Key Vault ` + - :ref:`Hashicorp KeyVault ` .. tab-item:: SSE-C :sync: sse-c @@ -119,6 +126,66 @@ For more information, see: - :ref:`SSE-C Secure Erasure and Locking ` +Encryption Internals +-------------------- + +.. note:: + + The following section describes MinIO internal logic and functionality. + This information is purely educational and is not necessary for + configuring or implementing any MinIO feature. + +.. _minio-encryption-sse-content-encryption: + +Content Encryption +~~~~~~~~~~~~~~~~~~ + +The MinIO server uses an authenticated encryption scheme +(:ref:`AEAD `) to en/decrypt and authenticate +the object content. The AEAD is combined with some state to build a +**Secure Channel**. A Secure Channel is a cryptographic construction that +ensures confidentiality and integrity of the processed data. In particular, the +Secure Channel splits the plaintext content into fixed size chunks and +en/decrypts each chunk separately using an unique key-nonce combination. + +The following text diagram illustrates Secure Channel Construction of an +encrypted object: + +The Secure Channel splits the object content into chunks of a fixed size of +``65536`` bytes. The last chunk may be smaller to avoid adding additional +overhead and is treated specially to prevent truncation attacks. The nonce +value is ``96`` bits long and generated randomly per object / multi-part part. +The Secure Channel supports plaintexts up to ``65536 * 2^32 = 256 TiB``. + +For S3 multi-part operations, each object part is en/decrypted with the Secure +Channel Construction scheme shown above. For each part, MinIO generates a secret +key derived from the Object Encryption Key (OEK) and the part number using a +pseudo-random function (:ref:`PRF `), such that +``key = PRF(OEK, part_id)``. + +.. _minio-encryption-sse-primitives: + +Cryptographic Primitives +~~~~~~~~~~~~~~~~~~~~~~~~ + +The MinIO server uses the following cryptographic primitive implementations: + +.. list-table:: + :header-rows: 1 + :widths: 40 60 + :width: 100% + + * - + - Primitives + + * - Pseudo-Random Functions (PRF) + - HMAC-SHA-256 + + * - :ref:`AEAD ` + - ``ChaCha20-Poly1305`` by default. + + ``AES-256-GCM`` for x86-64 CPUs with the AES-NI extension. + .. toctree:: :titlesonly: :hidden: diff --git a/source/administration/server-side-encryption/server-side-encryption-sse-kms.rst b/source/administration/server-side-encryption/server-side-encryption-sse-kms.rst index 61a47022..f7b4ff42 100644 --- a/source/administration/server-side-encryption/server-side-encryption-sse-kms.rst +++ b/source/administration/server-side-encryption/server-side-encryption-sse-kms.rst @@ -49,15 +49,16 @@ You can enable bucket-default SSE-KMS encryption using the - Replace ``play/mybucket`` with the :mc:`alias ` and bucket on which you want to enable automatic SSE-KMS encryption. -MinIO SSE-KMS is functionally compatible with AWS S3 :s3-docs:`Server-Side Encryption with KMS keys stored in AWS ` while expanding support to include the following KMS providers: +MinIO SSE-KMS is functionally compatible with AWS S3 +:s3-docs:`Server-Side Encryption with KMS keys stored in AWS +` while expanding support to include the +following KMS providers: -- :kes-docs:`AWS Secrets Manager ` -- :kes-docs:`Azure Key Vault ` -- :kes-docs:`Entrust KeyControl ` -- :kes-docs:`Fortanix SDKMS ` -- :kes-docs:`Google Cloud Secret Manager ` -- :kes-docs:`Hashicorp Vault Keystore ` -- :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) ` +- :ref:`AWS SecretsManager ` +- :ref:`Google Cloud SecretManager ` +- :ref:`Azure Key Vault ` +- :ref:`Hashicorp KeyVault ` +- Thales CipherTrust (formerly Gemalto KeySecure) .. _minio-encryption-sse-kms-quickstart: @@ -70,13 +71,10 @@ supporting |SSE| with SSE-KMS in evaluation and early development environments. For extended development or production environments, use one of the following supported external Key Management Services (KMS): -- :kes-docs:`AWS Secrets Manager ` -- :kes-docs:`Azure Key Vault ` -- :kes-docs:`Entrust KeyControl ` -- :kes-docs:`Fortanix SDKMS ` -- :kes-docs:`Google Cloud Secret Manager ` -- :kes-docs:`Hashicorp Vault Keystore ` -- :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) ` +- :ref:`AWS SecretsManager ` +- :ref:`Google Cloud SecretManager ` +- :ref:`Azure Key Vault ` +- :ref:`Hashicorp KeyVault ` .. include:: /includes/common/common-minio-kes.rst :start-after: start-kes-play-sandbox-warning diff --git a/source/images/grafana-node.png b/source/images/grafana-node.png deleted file mode 100644 index 458525ab..00000000 Binary files a/source/images/grafana-node.png and /dev/null differ diff --git a/source/includes/common-minio-sse.rst b/source/includes/common-minio-sse.rst index 7275d475..4317ae13 100644 --- a/source/includes/common-minio-sse.rst +++ b/source/includes/common-minio-sse.rst @@ -1,26 +1,32 @@ .. start-sse-dek -MinIO generates a Data Encryption Key (DEK) using the |EK|. -Specifically, :minio-git:`MinIO Key Encryption Service (KES) ` requests a new cryptographic key from the KMS using the |EK| as the "root" key. +MinIO generates a Data Encryption Key (DEK) using the |EK|. Specifically, +:minio-git:`MinIO Key Encryption Service (KES) ` requests a new +cryptographic key from the KMS using the |EK| as the "root" key. -KES returns both the plain-text *and* an |EK|-encrypted representation of the DEK. -MinIO stores the encrypted representation as part of the object metadata. +KES returns both the plain-text *and* an |EK|-encrypted representation of the +DEK. MinIO stores the encrypted representation as part of the object metadata. .. end-sse-dek .. start-sse-kek -MinIO uses a deterministic algorithm to generate a 256-bit unique Key Encryption Key (KEK). -The key-derivation algorithm uses a pseudo-random function that takes the plain-text |DEK|, a randomly generated initialization vector, and a context consisting of values like the bucket and object name. +MinIO uses a deterministic algorithm to generate a 256-bit unique Key +Encryption Key (KEK). The key-derivation algorithm uses a pseudo-random function +(:ref:`PRF `) that takes the plain-text |DEK|, +a randomly generated initialization vector, and a context consisting of values +like the bucket and object name. -MinIO generates the KEK at the time of each cryptographic encryption or decryption operation and *never* stores the KEK to a drive. +MinIO generates the KEK at the time of each cryptographic encryption or +decryption operation and *never* stores the KEK to a drive. .. end-sse-kek .. start-sse-oek -MinIO generates a random 256-bit unique Object Encryption Key (OEK) and uses that key to encrypt the object. -MinIO never stores the plaintext representation of the OEK on a drive. -The plaintext OEK resides in RAM during cryptographic operations. +MinIO generates a random 256-bit unique Object Encryption Key (OEK) and uses +that key to encrypt the object. MinIO never stores the plaintext representation +of the OEK on a drive. The plaintext OEK resides in RAM during cryptographic +operations. .. end-sse-oek \ No newline at end of file diff --git a/source/operations/monitoring/grafana.rst b/source/operations/monitoring/grafana.rst index 57087f03..b5b8568e 100644 --- a/source/operations/monitoring/grafana.rst +++ b/source/operations/monitoring/grafana.rst @@ -56,36 +56,23 @@ MinIO Bucket Metrics Dashboard Visualize MinIO bucket metrics with the official MinIO Grafana dashboard for buckets available on the `Grafana dashboard portal `__. -Bucket metrics can be viewed in the Grafana dashboard using the `bucket JSON file on GitHub `__. +Bucket metrics can be viewed in the Grafana dashboard using the `bucket JSON file on GitHub `__. .. image:: /images/grafana-bucket.png :width: 600px :alt: A sample of the MinIO Grafana dashboard showing many different captured metrics for MinIO buckets. :align: center -.. _minio-node-grafana-metrics: - -MinIO Node Metrics Dashboard -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Node metrics can be viewed in the Grafana dashboard using the `node JSON file on GitHub `__. - -.. image:: /images/grafana-node.png - :width: 600px - :alt: A sample of the MinIO Grafana dashboard showing many different captured metrics for MinIO nodes. - :align: center - - .. _minio-replication-grafana-metrics: -MinIO Replication Metrics Dashboard -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +MinIO Cluster Replication Metrics Dashboard +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Visualize MinIO bucket metrics with the official MinIO Grafana dashboard for replication available on the `Grafana dashboard portal `__. +Visualize MinIO bucket metrics with the official MinIO Grafana dashboard for cluster replication available on the `Grafana dashboard portal `__. -Cluster replication metrics can be viewed in the Grafana dashboard using the `cluster replication JSON file on GitHub `__. +Cluster replication metrics can be viewed in the Grafana dashboard using the `cluster replication JSON file on GitHub `__. .. image:: /images/grafana-replication.png :width: 600px - :alt: A sample of the MinIO Grafana dashboard showing many different captured metrics for replication. + :alt: A sample of the MinIO Grafana dashboard showing many different captured metrics for cluster replication. :align: center diff --git a/source/reference/minio-mc/mc-pipe.rst b/source/reference/minio-mc/mc-pipe.rst index debdf1d3..daa423ae 100644 --- a/source/reference/minio-mc/mc-pipe.rst +++ b/source/reference/minio-mc/mc-pipe.rst @@ -174,7 +174,6 @@ Set Tags on Uploaded Objects ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following command creates an object on a MinIO deployment with an ALIAS of ``myminio`` in bucket ``mybucket`` with two tags. -You can set up to 10 tags on an object. .. code-block:: shell :class: copyable diff --git a/source/reference/minio-mc/mc-tag-set.rst b/source/reference/minio-mc/mc-tag-set.rst index 12d0fdc1..8f381662 100644 --- a/source/reference/minio-mc/mc-tag-set.rst +++ b/source/reference/minio-mc/mc-tag-set.rst @@ -27,8 +27,6 @@ The :mc:`mc tag set` command sets one or more tags to a bucket or object. .. end-mc-tag-set-desc -An object can have up to 10 tags. - .. tab-set:: .. tab-item:: EXAMPLE diff --git a/source/reference/minio-mc/mc-tag.rst b/source/reference/minio-mc/mc-tag.rst index 8fdb9f2b..807acdbe 100644 --- a/source/reference/minio-mc/mc-tag.rst +++ b/source/reference/minio-mc/mc-tag.rst @@ -20,8 +20,6 @@ The :mc:`mc tag` command adds, removes, and lists tags associated to a bucket or .. end-mc-tag-desc -An object can have up to 10 custom tags. - Subcommands ----------- diff --git a/source/reference/minio-server/settings/notifications/redis.rst b/source/reference/minio-server/settings/notifications/redis.rst index 95a97cff..6b17b6d3 100644 --- a/source/reference/minio-server/settings/notifications/redis.rst +++ b/source/reference/minio-server/settings/notifications/redis.rst @@ -214,29 +214,6 @@ Specify the password for the Redis server. MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. -User -~~~~ - -*Optional* - -.. versionadded:: RELEASE.2024-03-21T23-13-43Z - -.. tab-set:: - - .. tab-item:: Environment Variable - :sync: envvar - - .. envvar:: MINIO_NOTIFY_REDIS_USER - - .. tab-item:: Configuration Setting - :sync: config - - .. mc-conf:: notify_redis user - :delimiter: " " - - -Specify the user for the Redis server. - Queue Directory ~~~~~~~~~~~~~~~