13 KiB
Server-Side Object Encryption with GCP Secret Manager Root KMS
minio
Table of Contents
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses Key Encryption Service (KES) <kes> and an
external root Key Management Service (KMS) for performing secured
cryptographic operations at scale. The root KMS provides stateful and
secured storage of External Keys (EK) while KES (Key Encryption Service)
is stateless and derives additional cryptographic keys from the
root-managed EK (External Key).
linux
This procedure provides guidance for deploying and configuring KES at
scale for a supporting SSE (Server-Side Encryption) on a production MinIO
deployment. You can also use this procedure for deploying to local
environments for testing and evaluation.
As part of this procedure, you will:
- Deploy one or more
KES (Key Encryption Service)servers configured to use Google Cloud Platform Secret Manager as the rootKMS (Key Management System). You may optionally deploy a load balancer for managing connections to those KES servers. - Create a new
EK (External Key)on GCP Secret Manager for use withSSE (Server-Side Encryption). - Create or modify a MinIO deployment with support for
SSE (Server-Side Encryption)usingKES (Key Encryption Service). Defer to theDeploy Distributed MinIO <minio-mnmd>tutorial for guidance on production-ready MinIO deployments. - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with GCP Secret Manager.
macos or windows
This procedure assumes a single local host machine running the MinIO and KES processes. As part of this procedure, you will:
- Deploy a
KES (Key Encryption Service)server configured to use GCP Secret Manager as the rootKMS (Key Management System). - Create a new
EK (External Key)on GCP Secret Manager for use withSSE (Server-Side Encryption). - Deploy a MinIO server in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption Service)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with GCP Secret Manager.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and GCP Secret Manager.
container
This procedure assumes a single host machine running the MinIO and KES containers. As part of this procedure, you will:
- Deploy a
KES (Key Encryption Service)container configured to use GCP Secret Manager as the rootKMS (Key Management System). - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Deploy a MinIO Server container in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption Service)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with GCP Secret Manager.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and GCP Secret Manager.
k8s
This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. As part of this procedure, you will:
- Use the MinIO Operator Console to create or manage a MinIO Tenant.
- Access the
Encryptionsettings for that tenant and configureSSE (Server-Side Encryption)using GCP Secret Manager. - Create a new
EK (External Key)on GCP Secret Manager for use withSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and GCP Secret Manager.
Important
Prerequisites
k8s
MinIO Kubernetes Operator and Plugin
The procedures on this page requires a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator and Plugin version |operator-version-stable|.
See deploy-operator-kubernetes for complete documentation
on deploying the MinIO Operator.
GCP Secret Manager
This procedure assumes familiarity with GCP Secret Manager. The Secret Manager Quickstart provides a sufficient foundation for the purposes of this procedure.
k8s
This procedure assumes your Kubernetes cluster configuration allows for cluster-internal pods and services to resolve and connect to endpoints outside the cluster, such as the public internet.
MinIO specifically requires the following GCP settings or configurations:
Enable Secret Manager in the project.
Create a new GCP Service Account for supporting
KES (Key Encryption Service). Ensure the user has a role with at minimum the following permissions:secretmanager.secrets.create secretmanager.secrets.delete secretmanager.secrets.getThe
Secret manager Adminrole meets the minimum required permissions.GCP should return a set of credentials associated to the new access keys, including private keys. Copy these credentials to a safe and secure location for use with this procedure.
linux or macos or windows
Deploy or Ensure Access to a MinIO Deployment
container
Install Podman or a Similar Container Management Interface
container
linux
macos
k8s
windows
Configuration Reference for GCP Secret Manager Root KMS
The following section describes each of the Key Encryption Service (KES) <kes>
configuration settings for using GCP Secrets Manager as the root Key
Management Service (KMS) for SSE (Server-Side Encryption):
Important
Starting with RELEASE.2023-02-17T17-52-43Z, MinIO requires
expanded KES permissions for functionality. The example configuration in
this section contains all required permissions.
YAML Overview
Fields with ${<STRING>} use the environment
variable matching the <STRING> value. You can use
this functionality to set credentials without writing them to the
configuration file.
The YAML assumes a minimal set of permissions for the MinIO
deployment accessing KES. As an alternative, you can omit the
policy.minio-server section and instead set the
${MINIO_IDENTITY} hash as the
${ROOT_IDENTITY}.
address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}
tls:
key: kes-server.key
cert: kes-server.cert
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}
keys:
- name: "minio-encryption-key-alpha"
- name: "minio-encryption-key-baker"
- name: "minio-encryption-key-charlie"
keystore:
gcp:
secretmanager:
project_id: "${GCPPROJECTID}"
credentials:
client_email: "${GCPCLIENTEMAIL}"
client_id: "${GCPCLIENTID}"
private_key_id: "${GCPPRIVATEKEYID}"
private_key: "${GCPPRIVATEKEY}"Reference
| Key | Description |
|---|---|
address |
|
root |
|
tls |
|
policy |
|
keys |
|
keystore.gcp.secretmanager |
The configuration for the GCP Secret Manager
|