d17c896f75
The Kubernetes plugin is gone, this PR replaces the procedures that use `kubectl minio` in all its various forms. The plugin was referenced on many pages and for many purposes so there is _a lot_ of restructuring involved. Some procedures no longer have CLI instructions, which can be addressed in subsequent PRs. Everything should have at least one working method, even if it's to use Operator Console. - Remove references to plugin, except for pre-4.5.8 upgrade paths - Move pre-4.5.8 upgrade paths to new child page (currently hidden from TOC, linked in page) - Fill in with new Kustomize, kubectl, and/or Operator Console steps. A handful of old screen captures still to be updated Staged: - [Operator deploy](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/installation.html) - [Operator upgrade](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/install-deploy-manage/upgrade-minio-operator.html) - [Deploy and manage Tenants](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/deploy-manage-tenants.html) Fixes https://github.com/minio/docs/issues/1213
3.6 KiB
Data Encryption (SSE)
minio
Table of Contents
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses the MinIO Key Encryption Service (KES) <kes>
and an external Key Management Service (KMS) for performing secured
cryptographic operations at scale. MinIO also supports client-managed
key management, where the application takes full responsibility for
creating and managing encryption keys for use with MinIO SSE.
MinIO supports the following KMS (Key Management System) as the central key
store:
HashiCorp KeyVault <minio-sse-vault>AWS SecretsManager <minio-sse-aws>Google Cloud SecretManager <minio-sse-gcp>Azure Key Vault <minio-sse-azure>Fortanix SDKMS <kes/wiki/Fortanix-SDKMS>Thales Digital Identity and Security (formerly Gemalto) <kes/wiki/Gemalto-KeySecure>
MinIO SSE requires enabling minio-tls.
Supported Encryption Types
MinIO SSE is feature and API compatible with AWS Server-Side Encryption <server-side-encryption.html>
and supports the following encryption strategies:
SSE-KMS Recommended
MinIO supports enabling automatic SSE-KMS encryption of all objects
written to a bucket using a specific External Key (EK) stored on the
external KMS (Key Management System). Clients can override the
bucket-default EK (External Key) by specifying an explicit key as
part of the write operation.
For buckets without automatic SSE-KMS encryption, clients can specify
an EK (External Key)
as part of the write operation instead.
MinIO encrypts backend data as part of enabling server-side encryption. You cannot disable SSE-KMS encryption once enabled.
SSE-KMS provides more granular and customizable encryption compared to SSE-S3 and SSE-C and is recommended over the other supported encryption methods.
For a tutorial on enabling SSE-KMS in a local (non-production) MinIO
Deployment, see minio-encryption-sse-kms-quickstart.
SSE-S3
MinIO supports enabling automatic SSE-S3 encryption of all objects
written to a bucket using an EK (External Key) stored on the external KMS (Key Management System).
MinIO SSE-S3 supports one EK (External Key) for the entire deployment.
For buckets without automatic SSE-S3 encryption, clients can request SSE encryption as part of the write operation instead.
MinIO encrypts backend data as part of enabling server-side encryption. You cannot disable SSE-KMS encryption once enabled.
For a tutorial on enabling SSE-s3 in a local (non-production) MinIO
Deployment, see minio-encryption-sse-s3-quickstart.
SSE-C
Clients specify an EK (External Key) as part of the write operation for
an object. MinIO uses the specified EK (External Key) to perform SSE-S3.
SSE-C does not support bucket-default encryption settings and requires clients perform all key management operations.
/operations/server-side-encryption/configure-minio-kes