minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-08 01:43:18 +03:00
Code Activity
Files
DOCS-860-part2a
docs/source/includes/linux/steps-configure-minio-kes-gcp.rst
Ravind Kumar f6538cadd9 DOCS-779: Fix permission set for MinIO on KES (#793)
2023-04-04 09:36:35 -04:00

116 lines
3.8 KiB
ReStructuredText
Raw Permalink Blame History

Enable Server-Side Encryption with GCP Secrets Manager for Production
---------------------------------------------------------------------
Prior to starting these steps, create the following folders if they do not already exist:
.. code-block:: shell
:class: copyable
:substitutions:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniocertpath|
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Download KES
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
b. Create the Service File
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-service-file-desc
:end-before: end-kes-service-file-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-prod-desc
:end-before: end-kes-generate-kes-certs-prod-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
Create the configuration file using your preferred text editor.
The following example uses ``nano``:
.. code-block:: shell
:substitutions:
nano /etc/kes/config.yaml
.. include:: /includes/common/common-minio-kes-gcp.rst
:start-after: start-kes-configuration-gcp-desc
:end-before: end-kes-configuration-gcp-desc
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
:substitutions:
kes identity of |miniocertpath|/minio-kes.cert
- Set ``GCPPROJECTID`` to the GCP project for the Secrets Manager instance KES should use.
- Set ``GCPCLIENTEMAIL``, ``GCPCLIENTID``, ``GCPPRIVATEKEYID``, and ``GCPPRIVATEKEY`` to the credentials associated to the :ref:`GCP Service Account <minio-sse-gcp-prereq-gcp>` KES should use when accessing the Secrets Manager service.
b. Configure the MinIO Environment File
Modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables.
MinIO defaults to expecting this file at ``/etc/default/minio``.
If you modified your deployment to use a different location for the environment file, modify the file at that location.
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
This step uses ``systemd`` for starting and managing both the KES and MinIO server processes:
a. Start the KES Service on All Hosts
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-start-service-desc
:end-before: end-kes-start-service-desc
b. Start the MinIO Server
.. include:: /includes/linux/common-minio-kes.rst
:start-after: start-kes-minio-start-service-desc
:end-before: end-kes-minio-start-service-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc
View Git Blame Copy Permalink