6.7 KiB
Data Encryption (SSE)
minio
Table of Contents
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses the MinIO Key Encryption Service (KES) <> and
an external Key Management Service (KMS) for performing secured
cryptographic operations at scale. MinIO also supports client-managed
key management, where the application takes full responsibility for
creating and managing encryption keys for use with MinIO SSE.
MinIO supports the following KMS (Key Management System) providers as the central
key store:
Azure Key Vault <integrations/azure-keyvault/>AWS Secrets Manager <integrations/aws-secrets-manager/>Fortanix SDKMS <integrations/fortanix-sdkms/>Google Cloud Secret Manager <integrations/google-cloud-secret-manager/>Hashicorp Vault <integrations/hashicorp-vault-keystore/>Thales Digital Identity and Security (formerly Gemalto) <integrations/thales-ciphertrust/>
MinIO SSE requires enabling minio-tls.
Supported Encryption Types
MinIO SSE is feature and API compatible with AWS Server-Side Encryption <server-side-encryption.html>
and supports the following encryption strategies:
SSE-KMS Recommended
MinIO supports enabling automatic SSE-KMS encryption of all objects
written to a bucket using a specific External Key (EK) stored on the
external KMS (Key Management System). Clients can override the
bucket-default EK (External Key) by specifying an explicit key as
part of the write operation.
For buckets without automatic SSE-KMS encryption, clients can specify
an EK (External Key)
as part of the write operation instead.
SSE-KMS provides more granular and customizable encryption compared to SSE-S3 and SSE-C and is recommended over the other supported encryption methods.
For a tutorial on enabling SSE-KMS in a local (non-production) MinIO
Deployment, see minio-encryption-sse-kms-quickstart.
SSE-S3
MinIO supports enabling automatic SSE-S3 encryption of all objects
written to a bucket using an EK (External Key) stored on the external KMS (Key Management System).
MinIO SSE-S3 supports one EK (External Key) for the entire deployment.
For buckets without automatic SSE-S3 encryption, clients can request SSE encryption as part of the write operation instead.
For a tutorial on enabling SSE-S3 in a local (non-production) MinIO
Deployment, see minio-encryption-sse-s3-quickstart.
SSE-C
Clients specify an EK (External Key) as part of the write operation for
an object. MinIO uses the specified EK (External Key) to perform SSE-S3.
SSE-C does not support bucket-default encryption settings and requires clients perform all key management operations.
Configuring a KMS for MinIO
linux
This procedure provides guidance for deploying MinIO configured to
use KES and enable Server Side Encryption <minio-sse-data-encryption>.
As part of this procedure, you will:
- Deploy one or more
KES (Key Encryption System)servers configured to use a KMS solution. You may optionally deploy a load balancer for managing connections to those KES servers. - Create a new
EK (External Key)on for use withSSE (Server-Side Encryption). - Create or modify a MinIO deployment with support for
SSE (Server-Side Encryption)usingKES (Key Encryption System). Defer to theDeploy Distributed MinIO <minio-mnmd>tutorial for guidance on production-ready MinIO deployments. - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
macos or windows
This procedure assumes a single local host machine running the MinIO and KES processes. As part of this procedure, you will:
- Deploy a
KES (Key Encryption System)server configured to use a KMS solution. - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Deploy a MinIO server in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption System)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with the KMS.
For production baremetal environments, see the KES documentation <> for tutorials on
configuring MinIO with with your choice of Key Management System.
container
This procedure assumes a single host machine running the MinIO and KES containers. As part of this procedure, you will:
- Deploy a
KES (Key Encryption System)container configured to use |rootkms-short| as the rootKMS (Key Management System). - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Deploy a MinIO Server container in
Single-Node Single-Drive mode <minio-snsd>configured to use theKES (Key Encryption System)container for supportingSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production orchestrated environments, use the MinIO Kubernetes
Operator to deploy a tenant with SSE (Server-Side Encryption) enabled and configured
for use with Hashicorp Vault.
For production baremetal environments, see the KES documentation <> for tutorials on
configuring MinIO with with your choice of Key Management System.
k8s
This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. As part of this procedure, you will:
- Use the MinIO Operator Console to create or manage a MinIO Tenant.
- Access the
Encryptionsettings for that tenant and configureSSE (Server-Side Encryption)using |rootkms-short|. - Create a new
EK (External Key)on Vault for use withSSE (Server-Side Encryption). - Configure automatic bucket-default
SSE-KMS <minio-encryption-sse-kms>.
For production baremetal environments, see the KES documentation <> for tutorials on
configuring MinIO with with your choice of Key Management System.
Important