0cd491c328
Updates `mc` reference docs for several releases of the MinIO Client.
- Adds missing flags to `mc admin trace`
- Updates `disk` -> `drive` throughout the docs, but not in all cases.
- Adds `--airgap flag` to `mc support profile` and `mc support perf`
commands.
- Updates the flags for `mc ilm add` command
- Adds `mc license unregister` command.
Closes #571
Closes #614
Closes #627
Closes #633
1.2 KiB
MinIO generates a Data Encryption Key (DEK) using the . Specifically,
MinIO Key Encryption Service (KES) <kes>
requests a new cryptographic key from the KMS using the as the "root"
key.
KES returns both the plain-text and an -encrypted representation of the DEK. MinIO stores the encrypted representation as part of the object metadata.
MinIO uses a deterministic algorithm to generate a 256-bit unique Key
Encryption Key (KEK). The key-derivation algorithm uses a pseudo-random
function (PRF <minio-encryption-sse-primitives>) that
takes the plain-text , a randomly generated initialization vector, and a
context consisting of values like the bucket and object name.
MinIO generates the KEK at the time of each cryptographic encryption or decryption operation and never stores the KEK to a drive.
MinIO generates a random 256-bit unique Object Encryption Key (OEK) and uses that key to encrypt the object. MinIO never stores the plaintext representation of the OEK on a drive. The plaintext OEK resides in RAM during cryptographic operations.