Addtl fixups

2025-07-30 07:03:26 +03:00 · 2021-05-03 17:00:54 -04:00
parent 5fe66d4f79
commit ebd4850020
4 changed files with 194 additions and 96 deletions
--- a/source/tutorials/minio-installation.rst
+++ b/source/tutorials/minio-installation.rst
@ -58,21 +58,7 @@ procedure.
      products and services, and is not intended as a complete guide to the larger
      topic of TLS/SSL certificate creation and management.

-3\) Generate an Encryption Key for the MinIO Backend
-   Starting in the :minio-release:`RELEASE.2021-04-22T15-44-28Z` release, MinIO
-   requires a user-specified encryption key or Key Management System (KMS) for
-   encrypting the backend (users, groups, policies, and server configuration). 
-
-   Generate a 256-bit encryption key and encode it as a base64 string:
-
-   .. code-block:: shell
-      :class: copyable
-
-      cat /dev/urandom | head -c 32 | base64 -
-
-   Copy the value for use in the next step.
-
-4\) Run the ``minio`` Server
+3\) Run the ``minio`` Server
   Issue the following command on each host machine in the deployment. The
   following example assumes that:

@ -87,7 +73,8 @@ procedure.

      export MINIO_ROOT_USER_FILE=minio-admin
      export MINIO_ROOT_PASSWORD_FILE=minio-secret-key-CHANGE-ME
-      export MINIO_KMS_SECRET_KEY=base64encoded256bitkey
+      export MINIO_KMS_SECRET_KEY=my-minio-encryption-key:bXltaW5pb2VuY3J5cHRpb25rZXljaGFuZ2VtZTEyMwo=
+
      minio server https://minio{1...4}.example.com/mnt/disk{1...4}/data

   The example command breaks down as follows:
@ -111,35 +98,51 @@ procedure.
        - The key to use for encrypting the MinIO backend (users, groups,
          policies, and server configuration).

-      * - ``https://minio{1...4}.example.com/``
+          Use the following format when specifying the encryption key:
+
+          ``<key-name>:<encryption-key>``
+   
+          - Replace the ``<key-name>`` with any string. You must use this
+            key name if you later migrate to using a dedicated KMS for 
+            managing encryption keys.
+
+          - Replace ``<encryption-key>`` with a 32-bit base64 encoded value.
+            For example:
+
+            .. code-block:: shell
+               :class: copyable
+     
+               cat /dev/urandom | head -c 32 | base64 -
+
+      * - ``minio{1...4}.example.com/``
        - The DNS hostname of each server in the distributed deployment. 

+          The command uses MinIO expansion notation ``{x...y}`` to denote a
+          sequential series. Specifically, the hostname
+          ``https://minio{1...4}.example.com`` expands to:
+     
+          - ``https://minio1.example.com``
+          - ``https://minio2.example.com``
+          - ``https://minio3.example.com``
+          - ``https://minio4.example.com``
+
      * - ``/mnt/disk{1...4}/data``
        - The path to each disk on the host machine. 

          ``/data`` is an optional folder in which the ``minio`` server stores
          all information related to the deployment. 

+          The command uses MinIO expansion notation ``{x...y}`` to denote a sequential
+          series. Specifically,  ``/mnt/disk{1...4}/data`` expands to:
+         
+          - ``/mnt/disk1/data``
+          - ``/mnt/disk2/data``
+          - ``/mnt/disk3/data``
+          - ``/mnt/disk4/data``
+
          See :mc-cmd:`minio server DIRECTORIES` for more information on
          configuring the backing storage for the :mc:`minio server` process.

-   The command uses MinIO expansion notation ``{x...y}`` to denote a sequential
-   series. Specifically:
-
-   -  The hostname ``https://minio{1...4}.example.com`` expands to:
-
-      - ``https://minio1.example.com``
-      - ``https://minio2.example.com``
-      - ``https://minio3.example.com``
-      - ``https://minio4.example.com``
-
-   - ``/mnt/disk{1...4}/data`` expands to
-   
-      - ``/mnt/disk1/data``
-      - ``/mnt/disk2/data``
-      - ``/mnt/disk3/data``
-      - ``/mnt/disk4/data``
-
 4\) Connect to the Server
   Use the :mc-cmd:`mc alias set` command from a machine with connectivity to any
   hostname running the ``minio`` server. See :ref:`mc-install` for documentation
@ -168,7 +171,7 @@ version of the ``minio`` server process:
   docker run -p 9000:9000 \
   -e "MINIO_ROOT_USER_FILE=ROOT_ACCESS_KEY" \
   -e "MINIO_ROOT_PASSWORD_FILE=SECRET_ACCESS_KEY_CHANGE_ME" \
-   -e "MINIO_KMS_SECRET_KEY=base64encoded256bitkey" \
+   -e "MINIO_KMS_SECRET_KEY=my-minio-encryption-key:bXltaW5pb2VuY3J5cHRpb25rZXljaGFuZ2VtZTEyMwo=" \
   -v /mnt/disk1:/disk1 \
   -v /mnt/disk2:/disk2 \
   -v /mnt/disk3:/disk3 \
@ -196,12 +199,21 @@ The command uses the following options:
     - The key to use for encrypting the MinIO backend (S3 objects, users, groups,
       policies, and server configuration).

-       Replace this value with a 256-bit base64-encrypted string:
+       Use the following format when specifying the encryption key:

-       .. code-block:: shell
-         :class: copyable
+       ``<key-name>:<encryption-key>``
+
+       - Replace the ``<key-name>`` with any string. You must use this
+         key name if you later migrate to using a dedicated KMS for 
+         managing encryption keys.
+
+       - Replace ``<encryption-key>`` with a 32-bit base64 encoded value. 
+         For example:
+
+         .. code-block:: shell
+            :class: copyable
 
-         cat /dev/urandom | head -c 32 | base64 -
+            cat /dev/urandom | head -c 32 | base64 -

   * - ``-v /mnt/disk<int>:/disk<int>`` 
     - The path to each each disk the ``minio`` server uses. 
@ -220,7 +232,7 @@ bleeding-edge version of the ``minio`` server process:
   docker run -p 9000:9000 \
   -e "MINIO_ROOT_USER_FILE=ROOT_ACCESS_KEY" \
   -e "MINIO_ROOT_PASSWORD_FILE=SECRET_ACCESS_KEY_CHANGE_ME" \
-   -e "MINIO_KMS_SECRET_KEY=base64encoded256bitkey" \
+   -e "MINIO_KMS_SECRET_KEY=my-minio-encryption-key:bXltaW5pb2VuY3J5cHRpb25rZXljaGFuZ2VtZTEyMwo=" \
   -v /mnt/disk1:/disk1 \
   -v /mnt/disk2:/disk2 \
   -v /mnt/disk3:/disk3 \
@ -248,13 +260,29 @@ The command uses the following options:
     - The key to use for encrypting the MinIO backend (users, groups,
       policies, and server configuration).

-       Replace this value with a 256-bit base64-encrypted string:
+       Replace this value with a 32-bit base64-encrypted string:

       .. code-block:: shell
         :class: copyable
 
         cat /dev/urandom | head -c 32 | base64 -

+       Use the following format when specifying the encryption key:
+
+       ``<key-name>:<encryption-key>``
+
+       - Replace the ``<key-name>`` with any string. You must use this
+         key name if you later migrate to using a dedicated KMS for 
+         managing encryption keys.
+
+       - Replace ``<encryption-key>`` with a 32-bit base64 encoded value. 
+         For example:
+
+         .. code-block:: shell
+            :class: copyable
+
+            cat /dev/urandom | head -c 32 | base64 -
+
   * - ``-v /mnt/disk<int>:/disk<int>`` 
     - The path to each each disk the ``minio`` server uses. 

@ -289,21 +317,7 @@ environments.
      products and services, and is not intended as a complete guide to the larger
      topic of TLS/SSL certificate creation and management.

-3\) Generate an Encryption Key for the MinIO Backend
-   Starting in the :minio-release:`RELEASE.2021-04-22T15-44-28Z` release, MinIO
-   requires a user-specified encryption key or Key Management System (KMS) for
-   encrypting the backend (users, groups, policies, and server configuration). 
-
-   Generate a 256-bit encryption key and encode it as a base64 string:
-
-   .. code-block:: shell
-      :class: copyable
-
-      cat /dev/urandom | head -c 32 | base64 -
-
-   Copy the value for use in the next step.
-
-4\) Run the ``minio`` Server
+3\) Run the ``minio`` Server
   Issue the following command to start the :program:`minio` server. The following
   example assumes the host machine has *at least* four disks, which is the minimum
   required number of disks to enable :ref:`erasure coding <minio-erasure-coding>`:
@ -313,6 +327,8 @@ environments.

      export MINIO_ROOT_USER_FILE=minio-admin
      export MINIO_ROOT_PASSWORD_FILE=minio-secret-key-CHANGE-ME
+      export MINIO_KMS_SECRET_KEY=my-minio-encryption-key:bXltaW5pb2VuY3J5cHRpb25rZXljaGFuZ2VtZTEyMwo=
+
      minio server /mnt/disk{1...4}/data

   The example command breaks down as follows:
@ -332,6 +348,26 @@ environments.

          Replace this value with a unique, random, and long string.

+      * - :envvar:`MINIO_KMS_SECRET_KEY`
+        - The key to use for encrypting the MinIO backend (users, groups,
+          policies, and server configuration).
+
+          Use the following format when specifying the encryption key:
+
+          ``<key-name>:<encryption-key>``
+   
+          - Replace the ``<key-name>`` with any string. You must use this
+            key name if you later migrate to using a dedicated KMS for 
+            managing encryption keys.
+
+          - Replace ``<encryption-key>`` with a 32-bit base64 encoded value.
+            For example:
+
+            .. code-block:: shell
+               :class: copyable
+     
+               cat /dev/urandom | head -c 32 | base64 -
+
      * - ``/mnt/disk{1...4}/data``
        - The path to each disk on the host machine. 

@ -341,13 +377,13 @@ environments.
          See :mc-cmd:`minio server DIRECTORIES` for more information on
          configuring the backing storage for the :mc:`minio server` process.

-   The command uses MinIO expansion notation ``{x...y}`` to denote a sequential
-   series. Specifically, ``/mnt/disk{1...4}/data`` expands to:
-   
-   - ``/mnt/disk1/data``
-   - ``/mnt/disk2/data``
-   - ``/mnt/disk3/data``
-   - ``/mnt/disk4/data``
+          The command uses MinIO expansion notation ``{x...y}`` to denote a
+          sequential series. Specifically, ``/mnt/disk{1...4}/data`` expands to:
+            
+          - ``/mnt/disk1/data``
+          - ``/mnt/disk2/data``
+          - ``/mnt/disk3/data``
+          - ``/mnt/disk4/data``

 4\) Connect to the Server
   Use the :mc-cmd:`mc alias set` command from a machine with connectivity to