mirror of
https://github.com/minio/docs.git
synced 2025-08-08 01:43:18 +03:00
cb2aa233a0
This PR simplifies the management of KMS integrations by removing the detailed documentation and linking out to the KES docs site instead. There should be no mention of any specific KMS target. Each OS/platform should have references to the correct paths, OS, and the like. This completes work started on the KES docs side in https://github.com/minio/kes-docs/pull/48. Staged: - [Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html) - [Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html) - [Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html) - [Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html) - [MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
58 lines
1.9 KiB
ReStructuredText
58 lines
1.9 KiB
ReStructuredText
|
|
.. start-kes-minio-start-service-desc
|
|
|
|
For new MinIO deployments, run the following command on each MinIO host to start the service:
|
|
|
|
.. code-block:: shell
|
|
:class: copyable
|
|
|
|
systemctl start minio
|
|
|
|
For existing MinIO deployments, run the following command on each MinIO host to restart the service:
|
|
|
|
.. code-block:: shell
|
|
:class: copyable
|
|
|
|
systemctl reload minio
|
|
systemctl restart minio
|
|
|
|
.. end-kes-minio-start-service-desc
|
|
|
|
.. start-kes-generate-kes-certs-prod-desc
|
|
|
|
KES requires TLS connectivity for all client connections, including those originating from MinIO.
|
|
See :ref:`minio-tls` for more information on enabling TLS for the MinIO deployment.
|
|
|
|
Depending on your selected KMS target's configuration, you may also need to create a dedicated set of TLS certificates for KES to connect and authenticate to the KMS.
|
|
|
|
Defer to your organization's best practices around generating production-ready TLS certificates.
|
|
|
|
Place the certificates and corresponding private keys in a directory that the KES service user has permissions to access and read the directory's contents.
|
|
For example:
|
|
|
|
.. code-block:: shell
|
|
:substitutions:
|
|
|
|
-rw-r--r-- 1 kes:kes |kescertpath|/kes-server.cert
|
|
-rw-r--r-- 1 kes:kes |kescertpath|/kes-server.key
|
|
|
|
# If the Vault certs are self-signed or use a non-global CA
|
|
# Include those CA certs as well
|
|
|
|
-rw-r--r-- 1 kes:kes |kescertpath|/vault-CA.cert
|
|
|
|
.. end-kes-generate-kes-certs-prod-desc
|
|
|
|
.. start-kes-generate-key-desc
|
|
|
|
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
|
|
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to add a new |EK| for use with |SSE|.
|
|
|
|
The following command uses the ``kes key create`` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
|
|
|
|
.. code-block:: shell
|
|
:class: copyable
|
|
|
|
mc admin kms key create ALIAS KEYNAME
|
|
|
|
.. end-kes-generate-key-desc |