12 KiB
Server-Side Object Encryption with AWS Root KMS
minio
Table of Contents
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses Key Encryption Service (KES) <kes> and an
external root Key Management Service (KMS) for performing secured
cryptographic operations at scale. The root KMS provides stateful and
secured storage of External Keys (EK) while KES (Key Encryption Service)
is stateless and derives additional cryptographic keys from the
root-managed EK (External Key).
This procedure does the following:
- Configure
KES (Key Encryption Service)to use AWS Secrets Manager as the rootKMS (Key Management System). - Configure MinIO to use the
KES (Key Encryption Service)instance for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>andSSE-S3 <minio-encryption-sse-s3>.
Prerequisites
AWS Key Management Service
This procedure assumes familiarity with AWS Key Management Service and AWS Secrets Manager. The Getting Started with AWS Key Management Service provides a sufficient foundation for the purposes of this procedure.
MinIO specifically requires the following AWS settings or configurations:
A new AWS
Programmatic Access <IAM/latest/UserGuide/id_users_create.html>user with corresponding access key and secret key.A policy that grants the created user access to AWS Secrets Manager and AWS KMS. The following policy grants the minimum necessary permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "minioSecretsManagerAccess", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "minioKmsAccess", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt" ], "Effect": "Allow", "Resource": "*" } ] }AWS provides the
SecretsManagerReadWriteandAWSKeyManagementServicePowerUsercanned roles that meet and exceed the minimum required permissions.
Network Encryption (TLS)
Podman Container Manager
Enable MinIO Server-Side Encryption with AWS Root KMS
The following steps deploy Key Encryption Service (KES) <kes>
configured to use an existing AWS KMS and Secrets Manager deployment as
the root KMS for supporting SSE (Server-Side Encryption). These steps assume the
AWS components meet the prerequisites
<minio-sse-aws-prereq-aws>.
Prior to starting these steps, create the following folders:
mkdir -P ~/kes/certs ~/kes/config1) Download the MinIO Key Encryption Service
2) Generate the TLS Private and Public Key for KES
3) Generate the TLS Private and Public Key for MinIO
4) Create the KES Configuration File
KES (Key Encryption Service) uses a YAML-formatted
configuration file. The following example YAML specifies the minimum
required fields for enabling SSE (Server-Side Encryption) using AWS Secrets
Manager:
address: 0.0.0.0:7373
# Disable the root identity, as we do not need that level of access for
# supporting SSE operations.
root: disabled
# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted
# Certificate Authority (CA).
tls:
key: /data/certs/server.key
cert: /data/certs/server.cert
# Create a policy named 'minio' that grants access to the
# /create, /generate, and /decrypt KES APIs for any key name
# KES uses mTLS to grant access to this policy, where only the client
# whose TLS certificate hash matches one of the "identities" can
# use this policy. Specify the hash of the MinIO server TLS certificate
# hash here.
policy:
minio:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes tool identity of minio-kes.cert'
# Specify the connection information for the KMS and Secrets Manager endpoint.
# The endpoint should be resolvable from the host.
# This example assumes that the associated AWS account has the necessary
# access key and secret key
keystore:
aws:
secretsmanager:
endpoint: secretsmanager.REGION.amazonaws.com # use the Secrets Manager endpoint for your region
region: REGION # e.g. us-east-1
kmskey: "" # Optional. The root AWS KMS key to use for cryptographic operations. Formerly described as the "Customer Master Key".
credentials:
accesskey: "${AWSACCESSKEY}" # AWS Access Key
secretkey: "${AWSSECRETKEY}" # AWS Secret KeySave the configuration file as
~/kes/config/kes-config.yaml. Any field with value
${VARIABLE} uses the environment variable with matching
name as the value. You can use this functionality to set credentials
without writing them to the configuration file.
- Set
MINIO_IDENTITY_HASHto the output ofkes tool identity of minio-kes.cert. - Replace the
REGIONwith the appropriate region for AWS Secrets Manager. The value must match for bothendpointandregion. - Set
AWSACCESSKEYandAWSSECRETKEYto the appropriateAWS Credentials <minio-sse-aws-prereq-aws>.
5) Start KES
6) Generate a Cryptographic Key
7) Configure MinIO to connect to KES
8) Enable Automatic Server-Side Encryption
SSE-KMS
The following command enables SSE-KMS on all objects written to the specified bucket:
mc mb ALIAS/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucketReplace ALIAS with the alias <mc alias> of the MinIO deployment
configured in the previous step.
Write a file to the bucket using mc cp or any S3-compatible SDK with a
PutObject function. You can then run mc stat on the file to confirm
the associated encryption metadata.
SSE-S3
The following command enables SSE-S3 on all objects written to the
specified bucket. MinIO uses the MINIO_KMS_KES_KEY_NAME key for performing SSE (Server-Side Encryption).
mc mb ALIAS/encryptedbucket
mc encrypt set SSE-S3 ALIAS/encryptedbucketReplace ALIAS with the alias <mc alias> of the MinIO deployment
configured in the previous step.
Write a file to the bucket using mc cp or any S3-compatible SDK with a
PutObject function. You can then run mc stat on the file to confirm
the associated encryption metadata.
Configuration Reference for AWS Root KMS
The following section describes each of the Key Encryption Service (KES) <kes>
configuration settings for using AWS Secrets Manager and AWS KMS as the
root Key Management Service (KMS) for SSE (Server-Side Encryption):
YAML Overview
The following YAML describes the minimum required fields for
configuring AWS Secrets Manager as an external KMS for supporting SSE (Server-Side Encryption).
Any field with value ${VARIABLE} uses the environment
variable with matching name as the value. You can use this functionality
to set credentials without writing them to the configuration file.
address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}
tls:
key: kes-server.key
cert: kes-server.cert
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
identities:
- ${MINIO_IDENTITY}
keys:
- name: "minio-encryption-key-alpha"
- name: "minio-encryption-key-baker"
- name: "minio-encryption-key-charlie"
keystore:
secretsmanager:
endpoint: secretsmanager.REGION.amazonaws
region: REGION
kmskey: ""
credentials:
accesskey: "${AWS_ACCESS_KEY}"
secretkey: "${AWS_SECRET_KEY}" Reference
| Key | Description |
|---|---|
address |
|
root |
|
tls |
|
policy |
|
keys |
|
keystore.secretsmanager |
The configuration for the AWS Secrets Manager and AWS KMS.
|