13 KiB
Server-Side Object Encryption with Azure Key Vault Root KMS
minio
Table of Contents
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses Key Encryption Service (KES) <kes> and an
external root Key Management Service (KMS) for performing secured
cryptographic operations at scale. The root KMS provides stateful and
secured storage of External Keys (EK) while KES (Key Encryption Service)
is stateless and derives additional cryptographic keys from the
root-managed EK (External Key).
linux
This procedure provides guidance for deploying and configuring KES at
scale for a supporting SSE (Server-Side Encryption) on a production MinIO
deployment, with Azure
Key Vault as the external root KMS (Key Management System). You can also use this
procedure for deploying to local environments for testing and
evaluation.
As part of this procedure, you will:
- Deploy one or more
KES (Key Encryption Service)servers configured to use Azure Key Vault as the rootKMS (Key Management System). You may optionally deploy a load balancer for managing connections to those KES servers. - Create a new
EK (External Key)on Azure Key Vault for use withSSE (Server-Side Encryption). - Create or modify a MinIO deployment with support for
SSE (Server-Side Encryption)usingKES (Key Encryption Service). Defer to theDeploy Distributed MinIO <minio-mnmd>tutorial for guidance on production-ready MinIO deployments. - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with Azure Key Vault.
macos or windows
This procedure assumes a single local host machine running the MinIO
and KES processes, with Azure
Key Vault as the external root KMS (Key Management System).. As part of this
procedure, you will:
- Deploy a
KES (Key Encryption Service)server configured to use Azure Key Vault as the rootKMS (Key Management System). - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Deploy a MinIO server in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption Service)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with Azure Key Vault.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Azure Key Vault.
container
This procedure assumes a single host machine running the MinIO and
KES containers, with Azure
Key Vault as the external root KMS (Key Management System).. As part of this
procedure, you will:
- Deploy a
KES (Key Encryption Service)container configured to use Azure Key Vault as the rootKMS (Key Management System). - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Deploy a MinIO Server container in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption Service)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with Azure Key Vault.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Azure Key Vault.
k8s
This procedure assumes you have access to a Kubernetes cluster with
an active MinIO Operator installation, with a cluster-accessible Azure
Key Vault service as the external root KMS (Key Management System).
As part of this procedure, you will:
- Use the MinIO Operator Console to create or manage a MinIO Tenant.
- Access the
Encryptionsettings for that tenant and configureSSE (Server-Side Encryption)using Azure Key Vault as the rootKMS (Key Management System). - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Azure Key Vault.
Important
Prerequisites
k8s
MinIO Kubernetes Operator and Plugin
The procedures on this page requires a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator and Plugin version |operator-version-stable|.
See deploy-operator-kubernetes for complete documentation
on deploying the MinIO Operator.
Azure Key Vault
This procedure assumes familiarity with Azure Key Vault. The Key Vault Quickstart provides a sufficient foundation for the purposes of this procedure.
MinIO specifically requires the following Azure settings or configurations:
Register an application for
KES (Key Encryption Service)(e.g.minio-kes). Note theApplication (client) ID,Directory (tenant) ID, andClient credentials. You may need to create the client credentials secret and copy theSecret Valuefor use in this procedure.Create an Access Policy for use by KES. The policy must have the following
Secret Permissions:GetListSetDeletePurge
Set the
Principalfor the new policy to the KES Application ID.
linux or macos or windows
Deploy or Ensure Access to a MinIO Deployment
container
Install Podman or a Similar Container Management Interface
k8s
container
linux
macos
windows
Configuration Reference for Azure Key Vault Root KMS
The following section describes each of the Key Encryption Service (KES) <kes>
configuration settings for using Azure Key Vault as the root Key
Management Service (KMS) for SSE (Server-Side Encryption):
Important
Starting with RELEASE.2023-02-17T17-52-43Z, MinIO requires
expanded KES permissions for functionality. The example configuration in
this section contains all required permissions.
YAML Overview
Fields with ${<STRING>} use the environment
variable matching the <STRING> value. You can use
this functionality to set credentials without writing them to the
configuration file.
The YAML assumes a minimal set of permissions for the MinIO
deployment accessing KES. As an alternative, you can omit the
policy.minio-server section and instead set the
${MINIO_IDENTITY} hash as the
${ROOT_IDENTITY}.
address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}
tls:
key: kes-server.key
cert: kes-server.cert
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}
keys:
- name: "minio-encryption-key-alpha"
- name: "minio-encryption-key-baker"
- name: "minio-encryption-key-charlie"
keystore:
azure:
keyvault:
endpoint: "https://<keyvaultinstance>.vault.azure.net"
credentials:
tenant_id: "${TENANTID}" # The directory/tenant UUID
client_id: "${CLIENTID}" # The application/client UUID
client_secret: "${CLIENTSECRET}" # The Active Directory secret for the applicationReference
| Key | Description |
|---|---|
address |
|
root |
|
tls |
|
policy |
|
keys |
|
keystore.azure.keyvault |
The configuration for the Azure Key Vault
|