minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-06 14:42:56 +03:00
Code Activity
Files
redirects
docs/source/includes/linux/common-minio-kes.rst
Daryl White cb2aa233a0 Simplify SSE tutorials and refer to KES docs (#1136) 
This PR simplifies the management of KMS integrations by removing the
detailed documentation and linking out to the KES docs site instead.

There should be no mention of any specific KMS target.
Each OS/platform should have references to the correct paths, OS, and
the like.

This completes work started on the KES docs side in
https://github.com/minio/kes-docs/pull/48.

Staged:

-
[Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html)
-
[Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html)
-
[Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html)
-
[Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html)
-
[MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
2024-02-29 12:30:06 -05:00

1.9 KiB
Raw Permalink Blame History

For new MinIO deployments, run the following command on each MinIO host to start the service:

systemctl start minio

For existing MinIO deployments, run the following command on each MinIO host to restart the service:

systemctl reload minio
systemctl restart minio

KES requires TLS connectivity for all client connections, including those originating from MinIO. See minio-tls for more information on enabling TLS for the MinIO deployment.

Depending on your selected KMS target's configuration, you may also need to create a dedicated set of TLS certificates for KES to connect and authenticate to the KMS.

Defer to your organization's best practices around generating production-ready TLS certificates.

Place the certificates and corresponding private keys in a directory that the KES service user has permissions to access and read the directory's contents. For example:

-rw-r--r-- 1 kes:kes |kescertpath|/kes-server.cert
-rw-r--r-- 1 kes:kes |kescertpath|/kes-server.key

# If the Vault certs are self-signed or use a non-global CA
# Include those CA certs as well

-rw-r--r-- 1 kes:kes |kescertpath|/vault-CA.cert

MinIO requires that the |EK| exist on the root KMS before performing |SSE| operations using that key. Use kes key create or mc admin kms key create to add a new |EK| for use with |SSE|.

The following command uses the kes key create command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

mc admin kms key create ALIAS KEYNAME