Quick Fix: KES Guidance (#1187)

We already state on one page that you cannot undo KES once configured. This ensures we make that statement on all other relevant pages. Staged: - http://192.241.195.202:9000/staging/QUICKFIX/linux/operations/server-side-encryption.html - SSE-KMS and SSE-S3 tabs - http://192.241.195.202:9000/staging/QUICKFIX/linux/operations/server-side-encryption/configure-minio-kes.html - http://192.241.195.202:9000/staging/QUICKFIX/linux/administration/server-side-encryption.html SSE KMS and SSE-S3 Tabs - http://192.241.195.202:9000/staging/QUICKFIX/linux/administration/server-side-encryption/server-side-encryption-sse-kms.html#quickstart - http://192.241.195.202:9000/staging/QUICKFIX/linux/administration/server-side-encryption/server-side-encryption-sse-s3.html#quickstart
2025-07-30 07:03:26 +03:00 · 2024-04-15 14:58:26 -04:00
parent 24dd7edf49
commit e71bbe9040
6 changed files with 33 additions and 2 deletions
--- a/source/includes/common/common-minio-kes.rst
+++ b/source/includes/common/common-minio-kes.rst
@ -5,7 +5,8 @@

 Enabling |SSE| on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

-MinIO *requires* access to KES *and* the root KMS to decrypt the backend and start normally.
+MinIO *requires* access to KES and the external KMS to decrypt the backend and start normally.
+The KMS **must** maintain and provide access to the :envvar:`MINIO_KMS_KES_KEY_NAME`.
 You cannot disable KES later or "undo" the |SSE| configuration at a later point.

 .. end-kes-encrypted-backend-desc