minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-05 03:41:24 +03:00
Code Activity
Files
DOCS-860-part2a
docs/source/operations/server-side-encryption/configure-minio-kes-aws.rst
Ravind Kumar f6538cadd9 DOCS-779: Fix permission set for MinIO on KES (#793)
2023-04-04 09:36:35 -04:00

14 KiB
Raw Permalink Blame History

Server-Side Object Encryption with AWS Secrets Manager Root KMS

minio

Table of Contents

MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.

MinIO SSE uses Key Encryption Service (KES) <kes> and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale. The root KMS provides stateful and secured storage of External Keys (EK) while KES (Key Encryption Service) is stateless and derives additional cryptographic keys from the root-managed EK (External Key).

linux

This procedure provides guidance for deploying and configuring KES at scale for a supporting SSE (Server-Side Encryption) on a production MinIO deployment, with AWS Secrets Manager as the external root KMS (Key Management System). You can also use this procedure for deploying to local environments for testing and evaluation.

As part of this procedure, you will:

  1. Deploy one or more KES (Key Encryption Service) servers configured to use AWS Secrets Manager as the root KMS (Key Management System). You may optionally deploy a load balancer for managing connections to those KES servers.
  2. Create a new EK (External Key) on AWS Key Management Service for use with SSE (Server-Side Encryption).
  3. Create or modify a MinIO deployment with support for SSE (Server-Side Encryption) using KES (Key Encryption Service). Defer to the Deploy Distributed MinIO <minio-mnmd> tutorial for guidance on production-ready MinIO deployments.
  4. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>

For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured for use with AWS Key Management Service.

macos or windows

This procedure assumes a single local host machine running the MinIO and KES processes, with AWS Secrets Manager as the external root KMS (Key Management System).. As part of this procedure, you will:

  1. Deploy a KES (Key Encryption Service) server configured to use AWS Secrets Manager as the root KMS (Key Management System).
  2. Create a new EK (External Key) on Vault for use with SSE (Server-Side Encryption).
  3. Deploy a MinIO server in Single-Node Single-Drive mode <minio-snsd> configured to use the KES (Key Encryption Service) container for supporting SSE (Server-Side Encryption).
  4. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>.

For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured for use with AWS Key Management Service.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and AWS Key Management Service.

container

This procedure assumes a single host machine running the MinIO and KES containers, with AWS Secrets Manager as the external root KMS (Key Management System).. As part of this procedure, you will:

  1. Deploy a KES (Key Encryption Service) container configured to use AWS Secrets Manager as the root KMS (Key Management System).
  2. Create a new EK (External Key) on Vault for use with SSE (Server-Side Encryption).
  3. Deploy a MinIO Server container in Single-Node Single-Drive mode <minio-snsd> configured to use the KES (Key Encryption Service) container for supporting SSE (Server-Side Encryption).
  4. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>.

For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured for use with AWS Key Management Service.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and AWS Key Management Service.

k8s

This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation, with a cluster-accessible AWS Secrets Manager service as the external root KMS (Key Management System). As part of this procedure, you will:

  1. Use the MinIO Operator Console to create or manage a MinIO Tenant.
  2. Access the Encryption settings for that tenant and configure SSE (Server-Side Encryption) using AWS Secrets Manager as the root KMS (Key Management System).
  3. Create a new EK (External Key) on Vault for use with SSE (Server-Side Encryption).
  4. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and AWS Key Management Service.

Important

Prerequisites

k8s

MinIO Kubernetes Operator and Plugin

The procedures on this page requires a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator and Plugin version |operator-version-stable|.

See deploy-operator-kubernetes for complete documentation on deploying the MinIO Operator.

Ensure Access to the AWS Secrets Manager and Key Management Service

This procedure assumes access to and familiarity with AWS Secrets Manager and AWS Key Management Service.

k8s

This procedure assumes your Kubernetes cluster configuration allows for cluster-internal pods and services to resolve and connect to endpoints outside of the cluster, such as the public internet.

MinIO specifically requires the following AWS settings or configurations:

  • A new AWS Programmatic Access <IAM/latest/UserGuide/id_users_create.html> user with corresponding access key and secret key.

  • A policy that grants the created user access to AWS Secrets Manager and AWS Key Management Service. The following policy grants the minimum necessary permissions:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "minioSecretsManagerAccess",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:DeleteSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecrets"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "minioKmsAccess",
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

    AWS provides the SecretsManagerReadWrite and AWSKeyManagementServicePowerUser canned roles that meet and exceed the minimum required permissions.

linux or macos or windows

Deploy or Ensure Access to a MinIO Deployment

container

Install Podman or a Similar Container Management Interface

k8s

container

linux

macos

windows

Configuration Reference for AWS Root KMS

The following section describes each of the Key Encryption Service (KES) <kes> configuration settings for using AWS Secrets Manager and AWS Key Management System as the root KMS (Key Management System) for SSE (Server-Side Encryption):

Important

Starting with RELEASE.2023-02-17T17-52-43Z, MinIO requires expanded KES permissions for functionality. The example configuration in this section contains all required permissions.

YAML Overview

Fields with ${<STRING>} use the environment variable matching the <STRING> value. You can use this functionality to set credentials without writing them to the configuration file.

The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES. As an alternative, you can omit the policy.minio-server section and instead set the ${MINIO_IDENTITY} hash as the ${ROOT_IDENTITY}.

address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}

tls:
  key: kes-server.key
  cert: kes-server.cert

policy:
  minio-server:
    allow:
    - /v1/key/create/*
    - /v1/key/generate/*
    - /v1/key/decrypt/*
    - /v1/key/bulk/decrypt
    - /v1/key/list
    - /v1/status
    - /v1/metrics
    - /v1/log/audit
    - /v1/log/error
    identities:
    - ${MINIO_IDENTITY}

keys:
  - name: "minio-encryption-key-alpha"
  - name: "minio-encryption-key-baker"
  - name: "minio-encryption-key-charlie"

keystore:
  secretsmanager:
    endpoint: secretsmanager.REGION.amazonaws 
    region: REGION
    kmskey: "" 
    credentials:
      accesskey: "${AWS_ACCESS_KEY}" 
      secretkey: "${AWS_SECRET_KEY}"

Reference

Key Description
address
root
tls
policy
keys
keystore.aws.secretsmanager The configuration for the AWS Secrets Manager and AWS KMS.

  • endpoint - The endpoint for the Secrets Manager service, including the region.

  • approle - The AWS region to use for other AWS services.

  • kmskey - The root KMS Key to use for cryptographic operations. Formerly known as the Customer Master Key.

  • credentials - The AWS Credentials to use for performing authenticated operations against Secrets Manager and KMS.

    The specified credentials must have the appropriate permissions <minio-sse-aws-prereq-aws>