cb2aa233a0
This PR simplifies the management of KMS integrations by removing the detailed documentation and linking out to the KES docs site instead. There should be no mention of any specific KMS target. Each OS/platform should have references to the correct paths, OS, and the like. This completes work started on the KES docs side in https://github.com/minio/kes-docs/pull/48. Staged: - [Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html) - [Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html) - [Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html) - [Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html) - [MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
9.3 KiB
Server-Side Object Encryption with KES
minio
Table of Contents
linux
This procedure provides guidance for deploying MinIO configured to
use KES and enable Server Side Encryption <minio-sse-data-encryption>.
For instructions on running KES, see the KES docs <tutorials/getting-started/>.
As part of this procedure, you will:
- Create a new
EK (External Key)for use withSSE (Server-Side Encryption). - Create or modify a MinIO deployment with support for
SSE (Server-Side Encryption)usingKES (Key Encryption Service). Defer to theDeploy Distributed MinIO <minio-mnmd>tutorial for guidance on production-ready MinIO deployments. - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>
macos or windows
This procedure assumes a single local host machine running the MinIO
and KES processes. For instructions on running KES, see the KES docs <tutorials/getting-started/>.
Note
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with your KMS (Key Management System).
For production baremetal environments, see the MinIO
on Linux documentation for tutorials on configuring MinIO with KES
and your KMS (Key Management System).
As part of this procedure, you will:
- Create a new
EK (External Key)for use withSSE (Server-Side Encryption). - Deploy a MinIO server in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption Service)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
container
This procedure assumes that you use a single host machine to run both
the MinIO and KES containers. For instructions on running KES, see the
KES docs <tutorials/getting-started/>.
As part of this procedure, you will:
- Create a new
EK (External Key)for use withSSE (Server-Side Encryption). - Deploy a MinIO Server container in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption Service)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with your KMS (Key Management System).
For production baremetal environments, see the MinIO
on Linux documentation for tutorials on configuring MinIO with KES
and your KMS (Key Management System).
k8s
This procedure assumes you have access to a Kubernetes cluster with
an active MinIO Operator installation. For instructions on running KES,
see the KES docs <tutorials/getting-started/>.
As part of this procedure, you will:
- Use the MinIO Operator Console to create or manage a MinIO Tenant.
- Access the
Encryptionsettings for that tenant and configureSSE (Server-Side Encryption)using asupported Key Management System <#supported-kms-targets>. - Create a new
EK (External Key)for use withSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production baremetal environments, see the MinIO
on Linux documentation for tutorials on configuring MinIO with KES
and your KMS (Key Management System).
Important
Prerequisites
k8s
MinIO Kubernetes Operator and Plugin
See deploy-operator-kubernetes for complete documentation
on deploying the MinIO Operator.
Ensure KES Access to a Supported KMS Target
linux or macos or windows or container
This procedure assumes an existing KES installation connected to a
supported KMS (Key Management System) installation accessible,
both accessible from the local host. Refer to the installation
instructions for your supported KMS target <#supported-kms-targets>
to deploy KES and connect it to a KMS solution.
KES Operations Require Unsealed Target
Some supported KMS (Key Management System) targets allow you to seal
or unseal the vault instance. KES returns an error if the configured
KMS (Key Management System) service is sealed.
If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. You must unseal the Vault to ensure normal operations.
See the documentation for your chosen KMS (Key Management System) solution for more
information on whether unsealing may be required.
k8s
Refer to the configuration instruction in the KES documentation <> for your chosen
supported KMS (Key Management System):
AWS Secrets Manager <integrations/aws-secrets-manager/>Azure KeyVault <integrations/azure-keyvault/>Entrust KeyControl <integrations/entrust-keycontrol/>Fortanix SDKMS <integrations/fortanix-sdkms/>Google Cloud Secret Manager <ntegrations/google-cloud-secret-manager/>Hashicorp Vault <integrations/hashicorp-vault-keystore/>Thales CipherTrust Manager (formerly Gemalto KeySecure) <integrations/thales-ciphertrust/>
linux or macos or windows
Deploy or Ensure Access to a MinIO Deployment
container
Install Podman or a Similar Container Management Interface
container
linux
macos
k8s
windows