cb2aa233a0
This PR simplifies the management of KMS integrations by removing the detailed documentation and linking out to the KES docs site instead. There should be no mention of any specific KMS target. Each OS/platform should have references to the correct paths, OS, and the like. This completes work started on the KES docs side in https://github.com/minio/kes-docs/pull/48. Staged: - [Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html) - [Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html) - [Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html) - [Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html) - [MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
3.2 KiB
Procedure
This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected supported KMS solution in production environments. Specifically, this procedure assumes the following:
- An existing production-grade KMS target
- One or more KES servers connected to the KMS target
- One or more hosts for a new or existing MinIO deployment
Prerequisite
Depending on your chosen supported KMS target <#supported-kms-targets>
configuration, you may need to pass the kes-server.cert as
a trusted Certificate Authority (CA). Defer to the client documentation
for instructions on trusting a third-party CA.
1) Generate a KES API Key for use by MinIO
Starting with KES version 2023-02-15T14-54-37Z <kes/releases/tag/2023-02-15T14-54-37Z>,
you can generate an API key to use for authenticating to the KES
server.
Use the kes identity new <cli/kes-identity/new>
command to generate a new API key for use by the MinIO Server:
kes identity newThe output includes both the API Key for use with MinIO and the
Identity hash for use with the KES Policy configuration <tutorials/configuration/#policy-configuration>.
2) Create the MinIO Configurations
Configure the MinIO Environment File
Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables:
MinIO defaults to expecting this file at
/etc/default/minio. If you modified your deployment to use
a different location for the environment file, modify the file at that
location.
3) Start MinIO
KES Operations Requires Unsealed Vault
Depending on your selected KMS solution, you may need to unseal the key instance to allow normal cryptographic operations, including key creation or retrieval. KES requires an unsealed key target to perform its operations.
Refer to the documentation for your chosen KMS solution <#supported-kms-targets>
for information regarding whether sealing and unsealing the instance is
required for operations.
You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.
This step uses systemd for starting and managing the
MinIO server processes:
Start the MinIO Server