76e5e35ab3
Closes #1191 # Summary Finally getting around to this mc release - Added docs for enc-c, enc-s3, enc-kms - Some docs are making assumptions around behavior that needs to be fixed _first_ - Drive-by linker fixes Staged: http://192.241.195.202:9000/staging/DOCS-1191/linux/index.html --------- Co-authored-by: Andrea Longo <feorlen@users.noreply.github.com> Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
4.5 KiB
MinIO generates a Data Encryption Key (DEK) using the |EK|. Specifically, MinIO Key Encryption Service (KES) <kes>
requests a new cryptographic key from the KMS using the |EK| as the "root" key.
KES returns both the plain-text and an |EK|-encrypted representation of the DEK. MinIO stores the encrypted representation as part of the object metadata.
MinIO uses a deterministic algorithm to generate a 256-bit unique Key Encryption Key (KEK). The key-derivation algorithm uses a pseudo-random function that takes the plain-text |DEK|, a randomly generated initialization vector, and a context consisting of values like the bucket and object name.
MinIO generates the KEK at the time of each cryptographic encryption or decryption operation and never stores the KEK to a drive.
MinIO generates a random 256-bit unique Object Encryption Key (OEK) and uses that key to encrypt the object. MinIO never stores the plaintext representation of the OEK on a drive. The plaintext OEK resides in RAM during cryptographic operations.
--enc-kms
Encrypt or decrypt objects using server-side SSE-KMS encryption <minio-sse> with
client-managed keys.
The parameter accepts a key-value pair formatted as
KEY=VALUE
|
The full path to the object as
You can specify only the top-level path to use a single encryption key for all operations in that path. |
|
Specify an existing data key on the external KMS. See the |
For example:
--enc-kms "myminio/mybucket/prefix/object.obj=mybucketencryptionkey"You can specify multiple encryption keys by repeating the parameter.
Specify the path to a prefix to apply encryption to all matching objects at that path:
--enc-kms "myminio/mybucket/prefix/=mybucketencryptionkey"--enc-s3
Encrypt or decrypt objects using server-side SSE-S3 encryption <minio-sse> with KMS-managed
keys. Specify the full path to the object as
alias/bucket/prefix/object.
For example:
--enc-s3 "myminio/mybucket/prefix/object.obj"You can specify the parameter multiple times to denote different object(s) to encrypt:
--enc-s3 "myminio/mybucket/foo/fooobject.obj" --enc-s3 "myminio/mybucket/bar/barobject.obj"Specify the path to a prefix to apply encryption to all matching objects at that path:
--enc-s3 "myminio/mybucket/foo"--enc-c
Encrypt or decrypt objects using server-side SSE-C encryption <minio-sse> with client-managed
keys.
The parameter accepts a key-value pair formatted as
KEY=VALUE
|
The full path to the object as
You can specify only the top-level path to use a single encryption key for all operations in that path. |
|
Specify either a 32-byte RawBase64-encoded key or a 64-byte hex-encoded key for use with SSE-C encryption. Raw Base64 encoding rejects |
KEY- the full path to the object asalias/bucket/path/object.VALUE- the 32-byte RAW Base64-encoded data key to use for encrypting object(s).
For example:
# RawBase64-Encoded string "mybucket32byteencryptionkeyssec"
--enc-c "myminio/mybucket/prefix/object.obj=bXlidWNrZXQzMmJ5dGVlbmNyeXB0aW9ua2V5c3NlYwo"You can specify multiple encryption keys by repeating the parameter.
Specify the path to a prefix to apply encryption to all matching objects at that path:
--enc-c "myminio/mybucket/prefix/=bXlidWNrZXQzMmJ5dGVlbmNyeXB0aW9ua2V5c3NlYwo"Note
MinIO strongly recommends against using SSE-C encryption in
production workloads. Use SSE-KMS via the --enc-kms or
SSE-S3 via --enc-s3 parameters instead.