cb2aa233a0
This PR simplifies the management of KMS integrations by removing the detailed documentation and linking out to the KES docs site instead. There should be no mention of any specific KMS target. Each OS/platform should have references to the correct paths, OS, and the like. This completes work started on the KES docs side in https://github.com/minio/kes-docs/pull/48. Staged: - [Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html) - [Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html) - [Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html) - [Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html) - [MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
5.0 KiB
This procedure assumes an existing supported KMS installation <#supported-kms-targets>
accessible from the Kubernetes cluster.
- For deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the target KMS service.
- For deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.
Defer to the documentation for your chosen KMS solution for guidance on deployment and configuration.
You can use either the MinIO Tenant Console or the MinIO mc CLI to enable
bucket-default SSE-KMS with the generated key:
MinIO Tenant Console
Connect to the MinIO Tenant Console service <create-tenant-connect-tenant>
and log in. For clients internal to the Kubernetes cluster, you can
specify the service DNS name <concepts/services-networking/dns-pod-service/#a-aaaa-records>.
For clients external to the Kubernetes cluster, specify the hostname of
the service exposed by Ingress, Load Balancer, or similar Kubernetes
network control component.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear gear icon to open the management view.
Select the pencil pencil icon next to the Encryption field to open
the modal for configuring a bucket default SSE scheme.
Select SSE-KMS,
then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.
MinIO CLI
Use the MinIO API Service <create-tenant-connect-tenant>
to create a new alias <alias> for the MinIO deployment. You can
then use the mc encrypt set command to enable SSE-KMS encryption for
a bucket:
mc alias set k8s https://minio.minio-tenant-1.svc.cluster-domain.example:443 ROOTUSER ROOTPASSWORD
mc mb k8s/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucketFor clients external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.
Write a file to the bucket using mc cp or any S3-compatible SDK with a
PutObject function. You can then run mc stat on the file to confirm
the associated encryption metadata.
Unseal Vault Before Creating Key
If required by your chosen provider, you must unseal the backing vault instance before creating new encryption keys. See the documentation for your chosen KMS solution for more information.
MinIO requires that the |EK| for a given
bucket or object exist on the root KMS before performing |SSE| operations using that key. You can use
the mc admin kms key create command against the MinIO
Tenant.
You must ensure your local host can access the MinIO Tenant pods and
services before using mc
to manage the Tenant. For hosts internal to the Kubernetes cluster, you
can use the service DNS name <concepts/services-networking/dns-pod-service/#a-aaaa-records>.
For hosts external to the Kubernetes cluster, specify the hostname of
the service exposed by Ingress, Load Balancer, or similar Kubernetes
network control component.
Run this command in a separate Terminal or Shell:
# Replace '-n minio' with the namespace of the MinIO deployment
# If you deployed the Tenant without TLS you may need to change the port range
# You can validate the ports in use by running
# kubectl get svc/minio -n minio
kubectl port forward svc/minio 443:443 -n minioThe following commands in a new Terminal or Shell window:
- Connect a local
mcclient to the Tenant. - Create the encryption key.
See mc-install for
instructions on installing mc on your local host.
# Replace USERNAME and PASSWORD with a user on the tenant with administrative permissions
# such as the root user
mc alias add k8s https://localhost:443 ROOTUSER ROOTPASSWORD
# Replace my-new-key with the name of the key you want to use for SSE-KMS
mc admin kms key create k8s encrypted-bucket-key