mirror of
https://github.com/minio/docs.git
synced 2025-08-06 14:42:56 +03:00
d5d3243413
@djwfyi cursory review in case I missed something. Closes #580 I do need to do further testing beyond the patches here. But I'm going to handle that out-of-band.
111 lines
3.5 KiB
ReStructuredText
111 lines
3.5 KiB
ReStructuredText
Deploy MinIO and KES with Server-Side Encryption using AWS Secrets Manager for Local Development
|
|
------------------------------------------------------------------------------------------------
|
|
|
|
Prior to starting these steps, create the following folders:
|
|
|
|
.. code-block:: shell
|
|
:class: copyable
|
|
:substitutions:
|
|
|
|
mkdir -P |kescertpath|
|
|
mkdir -P |kesconfigpath|
|
|
mkdir -P |miniocertpath|
|
|
mkdir -P |minioconfigpath|
|
|
mkdir -P |miniodatapath|
|
|
|
|
1) Download the KES Server Binary
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. include:: /includes/linux/common-minio-kes.rst
|
|
:start-after: start-kes-download-desc
|
|
:end-before: end-kes-download-desc
|
|
|
|
2) Generate TLS Certificates for KES and MinIO
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. include:: /includes/common/common-minio-kes.rst
|
|
:start-after: start-kes-generate-kes-certs-desc
|
|
:end-before: end-kes-generate-kes-certs-desc
|
|
|
|
3) Create the KES and MinIO Configurations
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
a. Create the KES Configuration File
|
|
|
|
Create the configuration file using your preferred text editor.
|
|
The following example uses ``nano``:
|
|
|
|
.. code-block:: shell
|
|
:substitutions:
|
|
|
|
nano |kesconfigpath|/kes-config.yaml
|
|
|
|
.. include:: /includes/common/common-minio-kes-aws.rst
|
|
:start-after: start-kes-configuration-aws-desc
|
|
:end-before: end-kes-configuration-aws-desc
|
|
|
|
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
|
|
|
|
The following command computes the necessary hash:
|
|
|
|
.. code-block:: shell
|
|
:class: copyable
|
|
:substitutions:
|
|
|
|
kes identity of |miniocertpath|/minio-kes.cert
|
|
|
|
- Replace the ``REGION`` with the appropriate region for AWS Secrets Manager.
|
|
The value **must** match for both ``endpoint`` and ``region``.
|
|
|
|
- Set ``AWSACCESSKEY`` and ``AWSSECRETKEY`` to the appropriate :ref:`AWS Credentials <minio-sse-aws-prereq-aws>`.
|
|
|
|
b. Create the MinIO Environment File
|
|
|
|
Create or modify the environment file for the MinIO deployment using your preferred text editor.
|
|
The following example uses ``nano``:
|
|
|
|
.. code-block:: shell
|
|
:substitutions:
|
|
|
|
nano |minioconfigpath|/minio
|
|
|
|
.. include:: /includes/common/common-minio-kes.rst
|
|
:start-after: start-kes-configuration-minio-desc
|
|
:end-before: end-kes-configuration-minio-desc
|
|
|
|
4) Start KES and MinIO
|
|
~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
You must start KES *before* starting MinIO.
|
|
The MinIO deployment requires access to KES as part of its startup.
|
|
|
|
a. Start the KES Server
|
|
|
|
.. include:: /includes/common/common-minio-kes.rst
|
|
:start-after: start-kes-start-server-desc
|
|
:end-before: end-kes-start-server-desc
|
|
|
|
b. Start the MinIO Server
|
|
|
|
.. include:: /includes/common/common-minio-kes.rst
|
|
:start-after: start-kes-minio-start-server-desc
|
|
:end-before: end-kes-minio-start-server-desc
|
|
|
|
Foreground processes depend on the shell or terminal in which they run.
|
|
Exiting or terminating the shell/terminal instance also kills the attached process.
|
|
Defer to your operating system best practices for running processes in the background.
|
|
|
|
5) Generate a New Encryption Key
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. include:: /includes/common/common-minio-kes.rst
|
|
:start-after: start-kes-generate-key-desc
|
|
:end-before: end-kes-generate-key-desc
|
|
|
|
6) Enable SSE-KMS for a Bucket
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. include:: /includes/common/common-minio-kes.rst
|
|
:start-after: start-kes-enable-sse-kms-desc
|
|
:end-before: end-kes-enable-sse-kms-desc
|