minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

Simplify SSE tutorials and refer to KES docs (#1136)

Browse Source 
This PR simplifies the management of KMS integrations by removing the
detailed documentation and linking out to the KES docs site instead.

There should be no mention of any specific KMS target.
Each OS/platform should have references to the correct paths, OS, and
the like.

This completes work started on the KES docs side in
https://github.com/minio/kes-docs/pull/48.

Staged:

-
[Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html)
-
[Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html)
-
[Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html)
-
[Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html)
-
[MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
This commit is contained in:
Daryl White
2024-02-29 12:30:06 -05:00
committed by GitHub
parent b4d0a36c71
commit cb2aa233a0
39 changed files with 383 additions and 4121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
source/includes/common/common-minio-kes-aws.rst
View File

@ -1,133 +0,0 @@
.. start-kes-configuration-aws-desc
|KES| uses a YAML-formatted configuration file. The following example YAML
specifies the minimum required fields for enabling |SSE| using AWS Secrets
Manager:
.. code-block:: shell
:class: copyable
:substitutions:
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: |kesconfigcertpath|kes-server.key
cert: |kesconfigcertpath|kes-server.cert
# Create a policy named 'minio' that grants access to the
# /create, /generate, and /decrypt KES APIs for any key name
# KES uses mTLS to grant access to this policy, where only the client
# whose TLS certificate hash matches one of the "identities" can
# use this policy. Specify the hash of the MinIO server TLS certificate
# hash here.
policy:
minio:
allow:
- /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list/*
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'
# In production environments, each client connecting to KES must
# Have their TLS hash listed under at least one `policy`.
# Specify the connection information for the KMS and Secrets Manager endpoint.
# The endpoint should be resolvable from the host.
# This example assumes that the associated AWS account has the necessary
# access key and secret key
keystore:
aws:
secretsmanager:
endpoint: secretsmanager.REGION.amazonaws.com # use the Secrets Manager endpoint for your region
region: REGION # e.g. us-east-1
kmskey: "" # Optional. The root AWS KMS key to use for cryptographic operations. Formerly described as the "Customer Master Key".
credentials:
accesskey: "AWSACCESSKEY" # AWS Access Key
secretkey: "AWSSECRETKEY" # AWS Secret Key
.. end-kes-configuration-aws-desc
.. start-kes-configuration-aws-container-desc
|KES| uses a YAML-formatted configuration file. The following example YAML
specifies the minimum required fields for enabling |SSE| using AWS Secrets
Manager:
.. code-block:: shell
:class: copyable
:substitutions:
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: /certs/server.key
cert: /certs/server.cert
# Create a policy named 'minio' that grants access to the
# /create, /generate, and /decrypt KES APIs for any key name
# KES uses mTLS to grant access to this policy, where only the client
# whose TLS certificate hash matches one of the "identities" can
# use this policy. Specify the hash of the MinIO server TLS certificate
# hash here.
policy:
minio:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'
# Specify the connection information for the KMS and Secrets Manager endpoint.
# The endpoint should be resolvable from the host.
# This example assumes that the associated AWS account has the necessary
# access key and secret key
keystore:
aws:
secretsmanager:
endpoint: secretsmanager.REGION.amazonaws.com # use the Secrets Manager endpoint for your region
region: REGION # e.g. us-east-1
kmskey: "" # Optional. The root AWS KMS key to use for cryptographic operations. Formerly described as the "Customer Master Key".
credentials:
accesskey: "${AWSACCESSKEY}" # AWS Access Key
secretkey: "${AWSSECRETKEY}" # AWS Secret Key
Save the configuration file as ``|path|/config/kes-config.yaml``. Any field with
value ``${VARIABLE}`` uses the environment variable with matching name as the
value. You can use this functionality to set credentials without writing them to
the configuration file.
- Set ``MINIO_IDENTITY_HASH`` to the output of
``kes identity of minio-kes.cert``.
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate
:ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
.. end-kes-configuration-aws-container-desc

60
source/includes/common/common-minio-kes-azure.rst
View File

@ -1,60 +0,0 @@
.. start-kes-configuration-azure-desc
|KES| uses a YAML-formatted configuration file. The following example YAML
specifies the minimum required fields for enabling |SSE| using AWS Secrets
Manager:
.. code-block:: shell
:class: copyable
:substitutions:
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: |kesconfigcertpath|kes-server.key
cert: |kesconfigcertpath|kes-server.cert
# Create a policy named 'minio' that grants access to the
# /create, /generate, and /decrypt KES APIs for any key name
# KES uses mTLS to grant access to this policy, where only the client
# whose TLS certificate hash matches one of the "identities" can
# use this policy. Specify the hash of the MinIO server TLS certificate
# hash here.
policy:
minio:
allow:
- /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list/*
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'
# Specify the connection information for the Key Vualt endpoint.
# The endpoint should be resolvable from the host.
# This example assumes that the specified Key Vault and Azure tenant/client
# have the necessary permissions set.
keystore:
azure:
keyvault:
endpoint: "https://<keyvaultinstance>vault.azure.net" # The Azure Keyvault Instance Endpoint
credentials:
tenant_id: "${TENANTID}" # The directory/tenant UUID
client_id: "${CLIENTID}" # The application/client UUID
client_secret: "${CLIENTSECRET}" # The Active Directory secret for the application
.. end-kes-configuration-azure-desc

60
source/includes/common/common-minio-kes-gcp.rst
View File

@ -1,60 +0,0 @@
.. start-kes-configuration-gcp-desc
|KES| uses a YAML-formatted configuration file. The following example YAML
specifies the minimum required fields for enabling |SSE| using GCP Secrets
Manager:
.. code-block:: shell
:class: copyable
:substitutions:
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: |kesconfigcertpath|kes-server.key
cert: |kesconfigcertpath|kes-server.cert
# Create a policy named 'minio' that grants access to the
# /create, /generate, and /decrypt KES APIs for any key name
# KES uses mTLS to grant access to this policy, where only the client
# whose TLS certificate hash matches one of the "identities" can
# use this policy. Specify the hash of the MinIO server TLS certificate
# hash here.
policy:
minio:
allow:
- /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list/*
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'
# Specify the connection information for the Secrets Manager endpoint.
# The endpoint should be resolvable from the host.
# This example assumes that the associated GCP account has the necessary
# access key and secret key
keystore:
gcp:
secretmanager:
project_id: "${GCPPROJECTID}" # The GCP Project to use
credentials:
client_email: "${GCPCLIENTEMAIL}" # The client email for your GCP Credentials
client_id: "${GCPCLIENTID}" # The Client ID for your GCP Credentials
private_key_id: "${GCPPRIVATEKEYID}" # the private key ID for your GCP credentials
private_key: "${GCPPRIVATEKEY}" # The content of your GCP Private Key
.. end-kes-configuration-gcp-desc

65
source/includes/common/common-minio-kes.rst
View File

@ -12,7 +12,7 @@ You cannot disable KES later or "undo" the |SSE| configuration at a later point.
.. start-kes-new-existing-minio-deployment-desc
This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable |SSE| via KES and the root KMS.
This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable |SSE| via KES and the KMS target.
For instructions on new production deployments, see the :ref:`Multi-Node Multi-Drive (Distributed) <minio-mnmd>` tutorial.
For instructions on new local or evaluation deployments, see the :ref:`Single-Node Single-Drive <minio-snsd>` tutorial.
@ -27,19 +27,16 @@ For existing MinIO Deployments, you can modify the existing environment file and
The following commands create two TLS certificates that expire within 30 days of creation:
- A TLS certificate for KES to secure communications between it and the Vault deployment
- A TLS certificate to secure communications between KES and the KMS.
- A TLS certificate for MinIO to perform mTLS authentication to KES.
.. admonition:: Use Caution in Production Environments
:class: important
**DO NOT** use the TLS certificates generated as part of this procedure for
any long-term development or production environments.
**DO NOT** use the TLS certificates generated as part of this procedure for any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate
generation and management. A complete guide to creating valid certificates
(e.g. well-formed, current, and trusted) is beyond the scope of this
procedure.
Defer to organization/industry best practices around TLS certificate generation and management.
A complete guide to creating valid certificates (e.g. well-formed, current, and trusted) is beyond the scope of this procedure.
.. code-block:: shell
:class: copyable
@ -61,7 +58,7 @@ The following commands create two TLS certificates that expire within 30 days of
--dns localhost
The ``--ip`` and ``--dns`` parameters set the IP and DNS ``SubjectAlternativeName`` for the certificate.
The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via ``localhost`` or ``127.0.0.1``.
The above example assumes that all components (KMS, MinIO, and KES) deploy on the same local host machine accessible via ``localhost`` or ``127.0.0.1``.
You can specify additional IP or Hostnames based on the network configuration of your local host.
.. end-kes-generate-kes-certs-desc
@ -94,7 +91,7 @@ Run the following commands in a terminal or shell to start the KES server as a f
The first command allows |KES| to use the `mlock <http://man7.org/linux/man-pages/man2/mlock.2.html>`__ system call without running as root.
``mlock`` ensures the OS does not write in-memory data to a drive (swap memory) and mitigates the risk of cryptographic operations being written to unsecured drive at any time.
KES 0.21.0 and later automatically detect and enable ``mlock`` if supported by the host OS.
KES 0.21.0 and later automatically detects and enables ``mlock`` if supported by the host OS.
Versions 0.20.0 and earlier required specifying the ``--mlock`` argument to KES.
The second command starts the KES server in the foreground using the configuration file created in the last step.
@ -103,17 +100,16 @@ Using self-signed certificates for either the MinIO client or the root KMS serve
|KES| listens on port ``7373`` by default.
You can monitor the server logs from the terminal session.
If you run |KES| without tying it to the current shell session (e.g. with ``nohup``), use that method's associated logging system (e.g. ``nohup.txt``).
If you run |KES| without tying it to the current shell session (for example, with ``nohup``), use that method's associated logging system (for example, ``nohup.txt``).
.. end-kes-start-server-desc
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
MinIO requires that the |EK| exist on the KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to add a new |EK| for use with |SSE|.
The following command uses the :mc-cmd:`mc admin kms key create` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
The following command uses the :mc-cmd:`mc admin kms key create` command to add a new External Key (EK) stored on the KMS server for use with encrypting the MinIO backend.
.. code-block:: shell
:class: copyable
@ -155,8 +151,7 @@ If the MinIO server host machines cannot resolve or reach the specified ``HOSTNA
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not
include a specific |EK|.
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not include a specific |EK|.
- Encrypting objects using :ref:`SSE-S3 <minio-encryption-sse-s3>`.
MinIO uses the :envvar:`MINIO_KMS_KES_ENCLAVE` key to define the name of the KES enclave to use.
@ -177,8 +172,8 @@ You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-
.. tab-item:: MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.
If you deployed MinIO using a different Console listen port, substitute ``9090`` with that port value.
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO Server.
If you deployed MinIO using a different Console listen port, substitute ``9001`` with that port value.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
@ -188,7 +183,7 @@ You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
When viewing that file in the object browser, note that the sidebar metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
@ -254,25 +249,19 @@ MinIO |SSE| requires access to the following KES cryptographic APIs:
Specifying additional keys does not expand MinIO |SSE| functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations.
You can restrict the range of key names MinIO can create as part of performing
|SSE| by specifying a prefix before the ``*``. For example,
``minio-sse-*`` only grants access to create, generate, or decrypt keys using
the ``minio-sse-`` prefix.
You can restrict the range of key names MinIO can create as part of performing |SSE| by specifying a prefix before the ``*``.
For example, ``minio-sse-*`` only grants access to create, generate, or decrypt keys using the ``minio-sse-`` prefix.
|KES| uses mTLS to authorize connecting clients by comparing the
hash of the TLS certificate against the ``identities`` of each configured
policy. Use the ``kes identity of`` command to compute the identity of the
MinIO mTLS certificate and add it to the ``policy.<NAME>.identities`` array
to associate MinIO to the ``<NAME>`` policy.
|KES| uses mTLS to authorize connecting clients by comparing the hash of the TLS certificate against the ``identities`` of each configured policy.
Use the ``kes identity of`` command to compute the identity of the MinIO mTLS certificate and add it to the ``policy.<NAME>.identities`` array to associate MinIO to the ``<NAME>`` policy.
.. end-kes-conf-policy-desc
.. start-kes-conf-keys-desc
Specify an array of keys which *must* exist on the root KMS for |KES| to
successfully start. KES attempts to create the keys if they do not exist and
exits with an error if it fails to create any key. KES does not accept any
client requests until it completes validation of all specified keys.
Specify an array of keys which *must* exist on the root KMS for |KES| to successfully start.
KES attempts to create the keys if they do not exist and exits with an error if it fails to create any key.
KES does not accept any client requests until it completes validation of all specified keys.
.. end-kes-conf-keys-desc
@ -289,16 +278,12 @@ client requests until it completes validation of all specified keys.
.. important::
The MinIO KES ``Play`` sandbox is public and grants root access to all
created External Keys (EK). Any |EK| stored on the ``Play`` sandbox may be
accessed or destroyed at any time, rendering protected data vulnerable or
permanently unreadable.
The MinIO KES ``Play`` sandbox is public and grants root access to all created External Keys (EK).
Any |EK| stored on the ``Play`` sandbox may be accessed or destroyed at any time, rendering protected data vulnerable or permanently unreadable.
- **Never** use the ``Play`` sandbox to protect data you cannot afford to
lose or reveal.
- **Never** use the ``Play`` sandbox to protect data you cannot afford to lose or reveal.
- **Never** generate |EK| using names that reveal private, confidential, or
internal naming conventions for your organization.
- **Never** generate |EK| using names that reveal private, confidential, or internal naming conventions for your organization.
- **Never** use the ``Play`` sandbox for production environments.

29
source/includes/container/common-minio-kes.rst
View File

@ -3,7 +3,7 @@
The commands in this section create the following resources:
- A Podman :podman-docs:`Pod <markdown/podman-pod.1.html>` to facilitate container communications
- A Container for the KES Server configured to use |rootkms| as the Root |KMS|.
- A Container for the KES Server configured to use the chosen supported |KMS| solution.
- A Container for a MinIO Server running in :ref:`Single-Node Single-Drive Mode <minio-snsd>`.
.. code-block:: shell
@ -51,19 +51,16 @@ If all pods are operational, you can connect to the MinIO deployment by opening
The following commands create two TLS certificates that expire within 30 days of creation:
- A TLS certificate for KES to secure communications between it and the |rootkms| service.
- A TLS certificate to secure communications between KES and the |KMS| service.
- A TLS certificate for MinIO to perform mTLS authentication to KES.
.. admonition:: Use Caution in Production Environments
:class: important
**DO NOT** use the TLS certificates generated as part of this procedure for
any long-term development or production environments.
**DO NOT** use the TLS certificates generated as part of this procedure for any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate
generation and management. A complete guide to creating valid certificates
(e.g. well-formed, current, and trusted) is beyond the scope of this
procedure.
Defer to organization/industry best practices around TLS certificate generation and management.
A complete guide to creating valid certificates (for example, well-formed, current, and trusted) is beyond the scope of this procedure.
.. code-block:: shell
:class: copyable
@ -111,8 +108,7 @@ This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not
include a specific |EK|.
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not include a specific |EK|.
- Encrypting objects using :ref:`SSE-S3 <minio-encryption-sse-s3>`.
MinIO uses the :envvar:`MINIO_KMS_KES_ENCLAVE` key to define the name of the KES enclave to use.
@ -135,16 +131,13 @@ KES automatically creates this key if it does not already exist on the root KMS.
.. admonition:: Unseal Vault Before Creating Key
:class: important
You must unseal the backing Vault instance before creating new encryption keys.
See the Vault documentation on `Seal/Unseal <https://www.vaultproject.io/docs/concepts/seal>`__ for more information.
If required for your chosen provider, you must unseal the backing |KMS| instance before creating new encryption keys.
Refer to the documentation for your chosen KMS solution for more information.
MinIO requires that the |EK| exist on the root KMS *before* performing
|SSE| operations using that key. Use ``kes key create`` *or*
:mc-cmd:`mc admin kms key create` to create a new |EK| for use with |SSE|.
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use :kes-docs:`kes key create <cli/kes-key/create/>` *or* :mc-cmd:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new
External Key (EK) stored on the root KMS server for use with encrypting
the MinIO backend.
The following command uses the :kes-docs:`kes key create <cli/kes-key/create/>` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
.. code-block:: shell
:class: copyable

140
source/includes/container/steps-configure-minio-kes-aws.rst
View File

@ -1,140 +0,0 @@
(Podman) Deploy MinIO and KES with Server-Side Encryption using AWS Secrets Manager
-----------------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
For Windows hosts, substitute the paths with Windows-style paths, e.g. ``C:\minio-kes-vault\``.
1) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
2) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-aws.rst
:start-after: start-kes-configuration-aws-desc
:end-before: end-kes-configuration-aws-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
podman run --rm \
-v |kescertpath|/certs:/certs \
kes:|kes-stable| tool identity of /certs/minio-kes.cert
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
podman run --rm \
-v |kescertpath|/certs:/certs \
kes:|kes-stable| tool identity of /certs/minio-kes.cert
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
3) Create Pod and Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-common-deploy-create-pod-and-containers
:end-before: end-common-deploy-create-pod-and-containers
4) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
5) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
.. tab-set::
.. tab-item:: MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
The following commands:
- Create a new :ref:`alias <alias>` for the MinIO deployment
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
.. code-block:: shell
:class: copyable
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function.
You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.

124
source/includes/container/steps-configure-minio-kes-azure.rst
View File

@ -1,124 +0,0 @@
(Podman) Deploy MinIO and KES with Server-Side Encryption using Azure Key Vault
-------------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
For Windows hosts, substitute the paths with Windows-style paths, e.g. ``C:\minio-kes-vault\``.
1) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
2) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-azure.rst
:start-after: start-kes-configuration-azure-desc
:end-before: end-kes-configuration-azure-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
podman run --rm \
-v |kescertpath|/certs:/certs \
kes:|kes-stable| tool identity of /certs/minio-kes.cert
- Replace the ``endpoint`` with the URL for the Keyvault instance.
- Set ``TENANTID``, ``CLIENTID``, and ``CLIENTSECRET`` to match the credentials for a project user with the :ref:`required permissions <minio-sse-azure-prereq-azure>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
3) Create Pod and Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-common-deploy-create-pod-and-containers
:end-before: end-common-deploy-create-pod-and-containers
4) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
5) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
.. tab-set::
.. tab-item:: MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
The following commands:
- Create a new :ref:`alias <alias>` for the MinIO deployment
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
.. code-block:: shell
:class: copyable
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function.
You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.

127
source/includes/container/steps-configure-minio-kes-gcp.rst
View File

@ -1,127 +0,0 @@
(Podman) Deploy MinIO and KES with Server-Side Encryption using GCP Secrets Manager
-----------------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
For Windows hosts, substitute the paths with Windows-style paths, e.g. ``C:\minio-kes-vault\``.
1) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
2) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
podman run --rm \
-v |kescertpath|/certs:/certs \
kes:|kes-stable| tool identity of /certs/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
3) Create Pod and Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-common-deploy-create-pod-and-containers
:end-before: end-common-deploy-create-pod-and-containers
4) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
5) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
.. tab-set::
.. tab-item:: MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear :octicon:`gear` icon to open the management view.
Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket.
When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
This indicates the successful encrypted state of the object.
.. tab-item:: MinIO CLI
The following commands:
- Create a new :ref:`alias <alias>` for the MinIO deployment
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
.. code-block:: shell
:class: copyable
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function.
You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.

26
source/includes/container/steps-configure-minio-kes-hashicorp.rst
View File

@ -1,5 +1,5 @@
(Podman) Deploy MinIO and KES with Server-Side Encryption using Hashicorp Key Vault
-----------------------------------------------------------------------------------
Deploy MinIO and KES with Server-Side Encryption
------------------------------------------------
Prior to starting these steps, create the following folders:
@ -14,17 +14,13 @@ Prior to starting these steps, create the following folders:
For Windows hosts, substitute the paths with Windows-style paths, e.g. ``C:\minio-kes-vault\``.
1) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prerequisite
~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA).
Defer to the client documentation for instructions on trusting a third-party CA.
2) Create the KES and MinIO Configurations
1) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
@ -53,9 +49,7 @@ a. Create the KES Configuration File
-v |kescertpath|/certs:/certs \
kes:|kes-stable| tool identity of /certs/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
- Refer to the instructions for setting up KES for your :kes-docs:`supported KMS solution <#kes-supported-targets>` for additional variables to define specific to your chosen KMS target.
b. Create the MinIO Environment File
@ -71,21 +65,21 @@ b. Create the MinIO Environment File
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
3) Create Pod and Containers
2) Create Pod and Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-common-deploy-create-pod-and-containers
:end-before: end-common-deploy-create-pod-and-containers
4) Generate a New Encryption Key
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/container/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
5) Enable SSE-KMS for a Bucket
4) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:

12
source/includes/k8s/common-minio-kes.rst
View File

@ -1,13 +1,13 @@
.. start-kes-prereq-hashicorp-vault-desc
This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io/>`__ installation accessible from the Kubernetes cluster.
This procedure assumes an existing :kes-docs:`supported KMS installation <#supported-kms-targets>` accessible from the Kubernetes cluster.
- For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.
- For deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the target KMS service.
- For Vault deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
- For deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.
Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.
Defer to the documentation for your chosen KMS solution for guidance on deployment and configuration.
.. end-kes-prereq-hashicorp-vault-desc
@ -59,8 +59,8 @@ You can use either the MinIO Tenant Console or the MinIO :mc:`mc` CLI to enable
.. admonition:: Unseal Vault Before Creating Key
:class: important
You must unseal the backing Vault instance before creating new encryption keys.
See the Vault documentation on `Seal/Unseal <https://www.vaultproject.io/docs/concepts/seal>`__ for more information.
If required by your chosen provider, you must unseal the backing vault instance before creating new encryption keys.
See the documentation for your chosen KMS solution for more information.
MinIO requires that the |EK| for a given bucket or object exist on the root KMS *before* performing |SSE| operations using that key.
You can use the :mc-cmd:`mc admin kms key create` command against the MinIO Tenant.

87
source/includes/k8s/steps-configure-minio-kes-aws.rst
View File

@ -1,87 +0,0 @@
Deploy MinIO Tenant with Server-Side Encryption using AWS SecretsManager
------------------------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9001
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
2) Complete the :guilabel:`Encryption` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To enable |SSE| with AWS Key Management Service during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then change the :guilabel:`Vault` Radio button to :guilabel:`AWS` to display the configuration settings.
.. image:: /images/k8s/operator-create-tenant-encryption-aws.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - Encryption Section - AWS Key Management Service
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - | Endpoint
| Region
- The hostname and AWS region for the AWS Secrets Manager instance (``https://secretmanager.us-east-2.amazonaws.com`` and ``us-east-2``) to use for |SSE|.
The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
This procedure assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
* - | Access Key
| Secret Key
| Token
- Specify the AWS User Access Key and Secret Key MinIO should use when authenticating to the Vault service.
Review the :ref:`AWS Prerequisites <minio-sse-aws-prereq-aws>` for instructions on generating these values.
Once you have completed the AWS |KMS| configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
4) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

87
source/includes/k8s/steps-configure-minio-kes-azure.rst
View File

@ -1,87 +0,0 @@
Deploy MinIO Tenant with Server-Side Encryption using Azure Key Vault
---------------------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9001
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
2) Complete the :guilabel:`Encryption` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
To enable |SSE| with |rootkms-short| during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then select the :guilabel:`Azure` Radio button to display the |rootkms-short| configuration settings.
.. image:: /images/k8s/operator-create-tenant-encryption-azure.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - Encryption Section
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - Endpoint
- The hostname or IP address for the |rootkms-short| service to use for |SSE|.
The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
* - | Tenant ID
| Client ID
| Client Secret
- Specify the |rootkms-short| credentials the MinIO Tenant should use when authenticating to the service.
Review the :ref:`Azure Prerequisites <minio-sse-azure-prereq-azure>` for instructions on generating these values.
Once you have completed the |rootkms-short| configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
4) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

89
source/includes/k8s/steps-configure-minio-kes-gcp.rst
View File

@ -1,89 +0,0 @@
Deploy MinIO Tenant with Server-Side Encryption using GCP Secret Manager
------------------------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9001
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
2) Complete the :guilabel:`Encryption` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
To enable |SSE| with |rootkms-short| during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then select the :guilabel:`GCP` Radio button to display the |rootkms-short| configuration settings.
.. image:: /images/k8s/operator-create-tenant-encryption-gcp.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - Encryption Section - GCP
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - | Project ID
| Endpoint
- The Project ID and endpoint for the |rootkms-short| service to use for |SSE|.
The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
* - | Client Email
| Client ID
| Private Key ID
| Private Key
- Specify the credentials for the GCP user with which the Tenant authenticates to the |rootkms-short| service.
Review the :ref:`GCP Secret Manager Prerequisites <minio-sse-gcp-prereq-gcp>` for instructions on generating these values.
Once you have completed the |rootkms-short| configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
4) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

39
source/includes/k8s/steps-configure-minio-kes-hashicorp.rst
View File

@ -1,5 +1,5 @@
Deploy MinIO Tenant with Server-Side Encryption using Hashicorp Vault
---------------------------------------------------------------------
Deploy MinIO Tenant with Server-Side Encryption
-----------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -37,8 +37,8 @@ Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
To enable |SSE| with Hashicorp Vault during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then select the :guilabel:`Vault` Radio button to :guilabel:`Vault` to display the Vault configuration settings.
To enable |SSE| with a :kes-docs:`supported KMS target <#supported-kms-targets>` during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then select the Radio button for the chosen KMS provider to display configuration settings for that provider.
.. image:: /images/k8s/operator-create-tenant-encryption.png
:align: center
@ -47,37 +47,10 @@ You can then select the :guilabel:`Vault` Radio button to :guilabel:`Vault` to d
:alt: MinIO Operator Console - Create a Tenant - Encryption Section
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
Refer to the Configuration References section of the tutorial for your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` for more information on the configuration options for your KMS.
* - Field
- Description
* - Endpoint
- The hostname or IP address for the Vault service (``https://vault.example.net:8200``) to use for |SSE|.
The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
For Vault services deployed in the *same* Kubernetes cluster as the MinIO Tenant, you can specify either the service's cluster IP *or* its :kube-docs:`DNS hostname <concepts/services-networking/dns-pod-service/>`.
For Vault services external to the Kubernetes cluster, you can specify that external hostname to the MinIO Tenant.
This assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
* - | AppRole ID
| AppRole Secret
- Specify the Vault AppRole ID and AppRole Secret MinIO should use when authenticating to the Vault service.
Review the :ref:`Vault Prerequisites <minio-sse-vault-prereq-vault>` for instructions on generating these values.
MinIO defaults to using the `KV Version 1 <https://www.vaultproject.io/docs/secrets/kv>`__ engine.
You can specify ``v2`` to enable the KV Version 2 engine.
Once you have completed the Vault configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
Once you have completed the configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

70
source/includes/linux/common-minio-kes.rst
View File

@ -1,71 +1,3 @@
.. start-kes-download-desc
Download the latest stable release (|kes-stable|) of KES from :minio-git:`github.com/minio/kes <kes/releases/latest>`.
Select the binary appropriate for the host OS architecture.
For example, hosts running X86-64 (Intel/AMD64) should download the ``kes-linux-amd64`` package.
The following example code downloads the latest Linux AMD64-compatible binary and moves it to the system ``PATH``:
.. code-block:: shell
:class: copyable
:substitutions:
curl --retry 10 https://github.com/minio/kes/releases/download/|kes-stable|/kes-linux-amd64 -o /tmp/kes
chmod +x /tmp/kes
sudo mv /tmp/kes /usr/local/bin
kes --version
For distributed KES topologies, repeat this step and all following KES-specific instructions for each host on which you want to deploy KES.
MinIO uses a round-robin approach by default for routing connections to multiple configured KES servers.
For more granular controls, deploy a dedicated load balancer to manage connections to distributed KES hosts.
.. end-kes-download-desc
.. start-kes-service-file-desc
Create the ``/lib/systemd/system/kes.service`` file on all KES hosts:
.. literalinclude:: /extra/kes.service
:language: shell
You may need to run ``systemctl daemon-reload`` to load the new service file into ``systemctl``.
The ``kes.service`` file runs as the ``kes`` User and Group by default.
You can create the user and group using the ``useradd`` and ``groupadd`` commands.
The following example creates the user and group.
These commands typically require root (``sudo``) permissions.
.. code-block:: shell
:class: copyable
groupadd -r kes
useradd -M -r -g kes kes
The ``kes`` user and group must have read access to all files used by the KES service:
.. code-block:: shell
:class: copyable
:substitutions:
chown -R kes:kes /opt/kes
.. end-kes-service-file-desc
.. start-kes-start-service-desc
Run the following command on each KES host to start the service:
.. code-block:: shell
:class: copyable
systemctl start kes
You can validate the startup by using ``systemctl status kes``.
If the service started successfully, use ``journalctl -uf kes`` to check the KES output logs.
.. end-kes-start-service-desc
.. start-kes-minio-start-service-desc
@ -91,7 +23,7 @@ For existing MinIO deployments, run the following command on each MinIO host to
KES requires TLS connectivity for all client connections, including those originating from MinIO.
See :ref:`minio-tls` for more information on enabling TLS for the MinIO deployment.
Depending on your Vault configuration, you may also need to create a dedicated set of TLS certificates for KES to connect and authenticate to Vault.
Depending on your selected KMS target's configuration, you may also need to create a dedicated set of TLS certificates for KES to connect and authenticate to the KMS.
Defer to your organization's best practices around generating production-ready TLS certificates.

110
source/includes/linux/steps-configure-minio-kes-aws-quick.rst
View File

@ -1,110 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using AWS Secrets Manager for Local Development
------------------------------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
mkdir -P |minioconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Server Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-aws.rst
:start-after: start-kes-configuration-aws-desc
:end-before: end-kes-configuration-aws-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
b. Create the MinIO Environment File
Create or modify the environment file for the MinIO deployment using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

116
source/includes/linux/steps-configure-minio-kes-aws.rst
View File

@ -1,116 +0,0 @@
Enable Server-Side Encryption with AWS SecretsManager for Production
--------------------------------------------------------------------
Prior to starting these steps, create the following folders if they do not already exist:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Download KES
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
b. Create the Service File
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-service-file-desc
:end-before: end-kes-service-file-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-prod-desc
:end-before: end-kes-generate-kes-certs-prod-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano /etc/kes/config.yaml
.. include:: /includes/common/common-minio-kes-aws.rst
:start-after: start-kes-configuration-aws-desc
:end-before: end-kes-configuration-aws-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
b. Configure the MinIO Environment File
Modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables.
MinIO defaults to expecting this file at ``/etc/default/minio``.
If you modified your deployment to use a different location for the environment file, modify the file at that location.
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
This step uses ``systemd`` for starting and managing both the KES and MinIO server processes:
a. Start the KES Service on All Hosts
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-start-service-desc
:end-before: end-kes-start-service-desc
b. Start the MinIO Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

109
source/includes/linux/steps-configure-minio-kes-azure-quick.rst
View File

@ -1,109 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using Azure Key Vault for Local Development
--------------------------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
mkdir -P |minioconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Server Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-azure.rst
:start-after: start-kes-configuration-azure-desc
:end-before: end-kes-configuration-azure-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``endpoint`` with the URL for the Keyvault instance.
- Set ``TENANTID``, ``CLIENTID``, and ``CLIENTSECRET`` to match the credentials for a project user with the :ref:`required permissions <minio-sse-azure-prereq-azure>`.
b. Create the MinIO Environment File
Create or modify the environment file for the MinIO deployment using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

115
source/includes/linux/steps-configure-minio-kes-azure.rst
View File

@ -1,115 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using Azure KeyVault for Production
------------------------------------------------------------------------------------
Prior to starting these steps, create the following folders if they do not already exist:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Download KES
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
b. Create the Service File
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-service-file-desc
:end-before: end-kes-service-file-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-prod-desc
:end-before: end-kes-generate-kes-certs-prod-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano /etc/kes/config.yaml
.. include:: /includes/common/common-minio-kes-azure.rst
:start-after: start-kes-configuration-azure-desc
:end-before: end-kes-configuration-azure-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``endpoint`` with the URL for the Keyvault instance.
- Set ``TENANTID``, ``CLIENTID``, and ``CLIENTSECRET`` to match the credentials for a project user with the :ref:`required permissions <minio-sse-azure-prereq-azure>`.
b. Configure the MinIO Environment File
Modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables.
MinIO defaults to expecting this file at ``/etc/default/minio``.
If you modified your deployment to use a different location for the environment file, modify the file at that location.
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
This step uses ``systemd`` for starting and managing both the KES and MinIO server processes:
a. Start the KES Service on All Hosts
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-start-service-desc
:end-before: end-kes-start-service-desc
b. Start the MinIO Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

109
source/includes/linux/steps-configure-minio-kes-gcp-quick.rst
View File

@ -1,109 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using GCP Secrets Manager for Local Development
------------------------------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
mkdir -P |minioconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Server Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-gcp.rst
:start-after: start-kes-configuration-gcp-desc
:end-before: end-kes-configuration-gcp-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Set ``GCPPROJECTID`` to the GCP project for the Secrets Manager instance KES should use.
- Set ``GCPCLIENTEMAIL``, ``GCPCLIENTID``, ``GCPPRIVATEKEYID``, and ``GCPPRIVATEKEY`` to the credentials associated to the :ref:`GCP Service Account <minio-sse-gcp-prereq-gcp>` KES should use when accessing the Secrets Manager service.
b. Create the MinIO Environment File
Create or modify the environment file for the MinIO deployment using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

115
source/includes/linux/steps-configure-minio-kes-gcp.rst
View File

@ -1,115 +0,0 @@
Enable Server-Side Encryption with GCP Secrets Manager for Production
---------------------------------------------------------------------
Prior to starting these steps, create the following folders if they do not already exist:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Download KES
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
b. Create the Service File
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-service-file-desc
:end-before: end-kes-service-file-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-prod-desc
:end-before: end-kes-generate-kes-certs-prod-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano /etc/kes/config.yaml
.. include:: /includes/common/common-minio-kes-gcp.rst
:start-after: start-kes-configuration-gcp-desc
:end-before: end-kes-configuration-gcp-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Set ``GCPPROJECTID`` to the GCP project for the Secrets Manager instance KES should use.
- Set ``GCPCLIENTEMAIL``, ``GCPCLIENTID``, ``GCPPRIVATEKEYID``, and ``GCPPRIVATEKEY`` to the credentials associated to the :ref:`GCP Service Account <minio-sse-gcp-prereq-gcp>` KES should use when accessing the Secrets Manager service.
b. Configure the MinIO Environment File
Modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables.
MinIO defaults to expecting this file at ``/etc/default/minio``.
If you modified your deployment to use a different location for the environment file, modify the file at that location.
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
This step uses ``systemd`` for starting and managing both the KES and MinIO server processes:
a. Start the KES Service on All Hosts
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-start-service-desc
:end-before: end-kes-start-service-desc
b. Start the MinIO Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

132
source/includes/linux/steps-configure-minio-kes-hashicorp.rst
View File

@ -1,42 +1,20 @@
Procedure
---------
This procedure provides instructions for configuring and enabling Server-Side Encryption using Hashicorp Vault in production environments.
This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected `supported KMS solution <https://min.io/docs/kes/#supported-kms-targets>`__ in production environments.
Specifically, this procedure assumes the following:
- An existing production-grade Vault deployment
- One or more hosts for deploying KES
- An existing production-grade KMS target
- One or more KES servers connected to the KMS target
- One or more hosts for a new or existing MinIO deployment
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prerequisite
~~~~~~~~~~~~
.. container:: procedure
a. Download KES
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
b. Create the Service File
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-service-file-desc
:end-before: end-kes-service-file-desc
2) Generate TLS Certificates for KES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-prod-desc
:end-before: end-kes-generate-kes-certs-prod-desc
Depending on your Vault configuration, you may also need to specify the CA used to sign the KES certificates to the Vault server.
See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA).
Defer to the client documentation for instructions on trusting a third-party CA.
3) Generate a KES API Key for use by MinIO
1) Generate a KES API Key for use by MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Starting with KES version :minio-git:`2023-02-15T14-54-37Z <kes/releases/tag/2023-02-15T14-54-37Z>`, you can generate an API key to use for authenticating to the KES server.
@ -50,94 +28,50 @@ Use the :kes-docs:`kes identity new <cli/kes-identity/new>` command to generate
The output includes both the API Key for use with MinIO and the Identity hash for use with the :kes-docs:`KES Policy configuration <tutorials/configuration/#policy-configuration>`.
4) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) Create the MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Configure the MinIO Environment File
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables:
.. container:: procedure
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
a. Create the KES Configuration File
MinIO defaults to expecting this file at ``/etc/default/minio``.
If you modified your deployment to use a different location for the environment file, modify the file at that location.
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
3) Start MinIO
~~~~~~~~~~~~~~
.. code-block:: shell
:substitutions:
.. admonition:: KES Operations Requires Unsealed Vault
:class: important
nano /opt/kes/config.yaml
Depending on your selected KMS solution, you may need to unseal the key instance to allow normal cryptographic operations, including key creation or retrieval.
KES requires an unsealed key target to perform its operations.
Refer to the :kes-docs:`documentation for your chosen KMS solution <#supported-kms-targets>` for information regarding whether sealing and unsealing the instance is required for operations.
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the API Key generated in the previous step.
This step uses ``systemd`` for starting and managing the MinIO server processes:
The following command recomputes the necessary hash from the API key:
Start the MinIO Server
.. code-block:: shell
:class: copyable
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
kes identity of kes:v1:KEY/KEY
- Replace the ``keystore.vault.endpoint`` with the hostname of the Vault server(s).
- Replace ``keystore.vault.engine`` and ``keystore.vault.version`` with the path and version of the KV engine used for storing secrets.
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
- Modify the ``keystore.vault.tls.ca`` value to correspond to the path to the Vault :abbr:`CA (Certificate Authority)` certificate used to sign the Vault TLS keys.
b. Configure the MinIO Environment File
Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables:
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
MinIO defaults to expecting this file at ``/etc/default/minio``.
If you modified your deployment to use a different location for the environment file, modify the file at that location.
5) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-vault-seal-unseal-desc
:end-before: end-kes-vault-seal-unseal-desc
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
This step uses ``systemd`` for starting and managing both the KES and MinIO server processes:
a. Start the KES Service on All Hosts
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-start-service-desc
:end-before: end-kes-start-service-desc
b. Start the MinIO Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
5) Generate a New Encryption Key
4) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-vault-seal-unseal-desc
:end-before: end-kes-vault-seal-unseal-desc
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
5) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst

31
source/includes/macos/common-minio-kes.rst
View File

@ -1,31 +0,0 @@
..start-kes-download-desc
Download the binary of the latest stable KES release (|kes-stable|) from :minio-git:`github.com/minio/kes <kes/releases/>`.
Select the tab corresponding to the architecture for your MacOS hardware.
The command downloads the |kes-stable| binary for that architecture, sets it to executable, and adds it to your system PATH.
.. tab-set::
.. tab-item:: ARM64 (Apple Silicon)
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://github.com/minio/kes/releases/download/|kes-stable|/kes-darwin-arm64
chmod +x ./kes-darwin-arm64
sudo mv ./kes-darwin-arm64 /usr/local/bin/kes
.. tab-item:: AMD64 (Intel)
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://github.com/minio/kes/releases/download/|kes-stable|/kes-darwin-amd64
chmod +x ./kes-darwin-amd64
sudo mv ./kes-darwin-amd64 /usr/local/bin/kes
.. end-kes-download-desc

108
source/includes/macos/steps-configure-minio-kes-aws.rst
View File

@ -1,108 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using AWS Secrets Manager
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-aws.rst
:start-after: start-kes-configuration-aws-desc
:end-before: end-kes-configuration-aws-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

107
source/includes/macos/steps-configure-minio-kes-azure.rst
View File

@ -1,107 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using Azure Key Vault
----------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-azure.rst
:start-after: start-kes-configuration-azure-desc
:end-before: end-kes-configuration-azure-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``endpoint`` with the URL for the Keyvault instance.
- Set ``TENANTID``, ``CLIENTID``, and ``CLIENTSECRET`` to match the credentials for a project user with the :ref:`required permissions <minio-sse-azure-prereq-azure>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

107
source/includes/macos/steps-configure-minio-kes-gcp.rst
View File

@ -1,107 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using GCP Secrets Manager
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
.. include:: /includes/common/common-minio-kes-gcp.rst
:start-after: start-kes-configuration-gcp-desc
:end-before: end-kes-configuration-gcp-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Set ``GCPPROJECTID`` to the GCP project for the Secrets Manager instance KES should use.
- Set ``GCPCLIENTEMAIL``, ``GCPCLIENTID``, ``GCPPRIVATEKEYID``, and ``GCPPRIVATEKEY`` to the credentials associated to the :ref:`GCP Service Account <minio-sse-gcp-prereq-gcp>` KES should use when accessing the Secrets Manager service.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

97
source/includes/macos/steps-configure-minio-kes-hashicorp.rst
View File

@ -1,5 +1,5 @@
Deploy MinIO and KES with Server-Side Encryption using Hashicorp Vault
----------------------------------------------------------------------
Deploy MinIO and KES with Server-Side Encryption
------------------------------------------------
Prior to starting these steps, create the following folders:
@ -11,98 +11,53 @@ Prior to starting these steps, create the following folders:
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|
1) Download the KES Binary
~~~~~~~~~~~~~~~~~~~~~~~~~~
Prerequisite
~~~~~~~~~~~~
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA).
Defer to the client documentation for instructions on trusting a third-party CA.
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Create the MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the MinIO Environment File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
.. code-block:: shell
:substitutions:
nano |kesconfigpath|/kes-config.yaml
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
3) Start the MinIO Server
~~~~~~~~~~~~~~~~~~~~~~~~~
The following command computes the necessary hash:
.. note::
.. code-block:: shell
:class: copyable
:substitutions:
You **must** start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
kes identity of |miniocertpath|/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano |minioconfigpath|/minio
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
Foreground processes depend on the shell or terminal in which they run.
Exiting or terminating the shell/terminal instance also kills the attached process.
Defer to your operating system best practices for running processes in the background.
5) Generate a New Encryption Key
4) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
5) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst

46
source/includes/windows/common-minio-kes.rst
View File

@ -2,7 +2,7 @@
The following commands creates two TLS certificates that expire within 30 days of creation:
- A TLS certificate for KES to secure communications between it and the Vault deployment
- A TLS certificate for KES to secure communications between it and the KMS deployment
- A TLS certificate for MinIO to perform mTLS authentication to KES.
.. admonition:: Use Caution in Production Environments
@ -11,10 +11,8 @@ The following commands creates two TLS certificates that expire within 30 days o
**DO NOT** use the TLS certificates generated as part of this procedure for
any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate
generation and management. A complete guide to creating valid certificates
(e.g. well-formed, current, and trusted) is beyond the scope of this
procedure.
Defer to organization/industry best practices around TLS certificate generation and management.
A complete guide to creating valid certificates (for example, well-formed, current, and trusted) is beyond the scope of this procedure.
.. code-block:: powershell
:class: copyable
@ -35,43 +33,14 @@ The following commands creates two TLS certificates that expire within 30 days o
--dns localhost
The ``--ip`` and ``--dns`` parameters set the IP and DNS ``SubjectAlternativeName`` for the certificate.
The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via ``localhost`` or ``127.0.0.1``.
The above example assumes that all components (KMS, MinIO, and KES) deploy on the same local host machine accessible via ``localhost`` or ``127.0.0.1``.
You can specify additional IP or Hostnames based on the network configuration of your local host.
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Server Configuration Documentation <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
Depending on your KMS configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority.
Defer to the client documentation for your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` for instructions on trusting a third-party CA.
.. end-kes-generate-kes-certs-desc
.. start-kes-download-desc
Download the latest stable release (|kes-stable|) of KES from :minio-git:`github.com/minio/kes <kes/releases/latest>`.
The following PowerShell command downloads the latest Windows-compatible binary and moves it to the system ``PATH``:
.. code-block:: powershell
:class: copyable
:substitutions:
Invoke-WebRequest -Uri "https://github.com/minio/kes/releases/download/|kes-stable|/kes-linux-windows-amd64.exe" -OutFile "C:\kes.exe"
C:\kes.exe --version
.. end-kes-download-desc
.. start-kes-start-server-desc
Run the following command in a terminal or shell to start the KES server as a foreground process.
.. code-block:: powershell
:class: copyable
:substitutions:
C:\kes.exe server --auth --config=|kesconfigpath|\config\kes-config.yaml
Defer to the documentation for your MacOS Operating System version for instructions on running a process in the background.
.. end-kes-start-server-desc
.. start-kes-minio-start-server-desc
Run the following command in a terminal or shell to start the MinIO server as a foreground process.
@ -138,8 +107,7 @@ This command assumes the ``minio-kes.cert``, ``minio-kes.key``, and ``kes-server
MinIO uses the :envvar:`MINIO_KMS_KES_KEY_NAME` key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not
include a specific |EK|.
- Encrypting objects using :ref:`SSE-KMS <minio-encryption-sse-kms>` if the request does not include a specific |EK|.
- Encrypting objects using :ref:`SSE-S3 <minio-encryption-sse-s3>`.
MinIO uses the :envvar:`MINIO_KMS_KES_ENCLAVE` key to define the name of the KES enclave to use for stateful KES servers.

105
source/includes/windows/steps-configure-minio-kes-aws.rst
View File

@ -1,105 +0,0 @@
Deploy MinIO and KESwith Server-Side Encryption using AWS Secrets Manager
-------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: powershell
:class: copyable
:substitutions:
New-Item -Path "|kescertpath|" -ItemType "directory"
New-Item -Path "|kesconfigpath|" -ItemType "directory"
New-Item -Path "|miniodatapath|" -ItemType "directory"
1) Download KES for Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |kesconfigpath|\kes-config.yaml
.. include:: /includes/common/common-minio-kes-aws.rst
:start-after: start-kes-configuration-aws-desc
:end-before: end-kes-configuration-aws-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes.exe tool identity of |miniocertpath|/minio-kes.cert
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |minioconfigpath|\minio
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

104
source/includes/windows/steps-configure-minio-kes-azure.rst
View File

@ -1,104 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using Azure Key Vault
----------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: powershell
:class: copyable
:substitutions:
New-Item -Path "|kescertpath|" -ItemType "directory"
New-Item -Path "|kesconfigpath|" -ItemType "directory"
New-Item -Path "|miniodatapath|" -ItemType "directory"
1) Download KES for Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |kesconfigpath|\kes-config.yaml
.. include:: /includes/common/common-minio-kes-azure.rst
:start-after: start-kes-configuration-azure-desc
:end-before: end-kes-configuration-azure-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes.exe tool identity of |miniocertpath|/minio-kes.cert
- Replace the ``endpoint`` with the URL for the Keyvault instance.
- Set ``TENANTID``, ``CLIENTID``, and ``CLIENTSECRET`` to match the credentials for a project user with the :ref:`required permissions <minio-sse-azure-prereq-azure>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |minioconfigpath|\minio
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

103
source/includes/windows/steps-configure-minio-kes-gcp.rst
View File

@ -1,103 +0,0 @@
Deploy MinIO and KES with Server-Side Encryption using GCP Secrets Manager
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: powershell
:class: copyable
:substitutions:
New-Item -Path "|kescertpath|" -ItemType "directory"
New-Item -Path "|kesconfigpath|" -ItemType "directory"
New-Item -Path "|miniodatapath|" -ItemType "directory"
1) Download KES for Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |kesconfigpath|\kes-config.yaml
.. include:: /includes/common/common-minio-kes-gcp.rst
:start-after: start-kes-configuration-gcp-desc
:end-before: end-kes-configuration-gcp-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes.exe tool identity of |miniocertpath|/minio-kes.cert
- Set ``GCPPROJECTID`` to the GCP project for the Secrets Manager instance KES should use.
- Set ``GCPCLIENTEMAIL``, ``GCPCLIENTID``, ``GCPPRIVATEKEYID``, and ``GCPPRIVATEKEY`` to the credentials associated to the :ref:`GCP Service Account <minio-sse-gcp-prereq-gcp>` KES should use when accessing the Secrets Manager service.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |minioconfigpath|\minio
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

99
source/includes/windows/steps-configure-minio-kes-hashicorp.rst
View File

@ -1,5 +1,5 @@
Deploy MinIO and KES with Server-Side Encryption using Hashicorp Vault
----------------------------------------------------------------------
Deploy MinIO and KES with Server-Side Encryption
------------------------------------------------
Prior to starting these steps, create the following folders:
@ -11,96 +11,51 @@ Prior to starting these steps, create the following folders:
New-Item -Path "|kesconfigpath|" -ItemType "directory"
New-Item -Path "|miniodatapath|" -ItemType "directory"
1) Download KES for Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prerequisite
~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority. See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA).
Defer to the client documentation for instructions on trusting a third-party CA.
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Create the MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the MinIO Environment File
Create the configuration file using your preferred text editor.
The following example uses the Windows Notepad program:
Create the environment file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
.. code-block:: powershell
:substitutions:
notepad |kesconfigpath|\kes-config.yaml
notepad |minioconfigpath|\minio
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
2) Start the MinIO Server
~~~~~~~~~~~~~~~~~~~~~~~~~
The following command computes the necessary hash:
.. note::
.. code-block:: shell
:class: copyable
:substitutions:
You **must** start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
kes.exe tool identity of |miniocertpath|/minio-kes.cert
Start the MinIO Server
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
The value **must** match for both ``endpoint`` and ``region``.
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
b. Create the MinIO Environment File
Create the environment file using your preferred text editor.
The following example uses the Windows Notepad program:
.. code-block:: powershell
:substitutions:
notepad |minioconfigpath|\minio
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
3) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/windows/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
4) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst