minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-10-28 07:54:51 +03:00
Code Activity
Files
571f188a4eb8239fd46a1e047f2c26fdbbcdb4d6
docs/source/operations/server-side-encryption/configure-minio-kes.rst
Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258) 
##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>
2025-07-30 12:33:02 -04:00

6.7 KiB
Raw Blame History

Server-Side Object Encryption with KES

minio

Table of Contents

Kubernetes

This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. For instructions on running KES, see the KES docs <tutorials/getting-started/>.

As part of this procedure, you will:

  1. Create or modify a MinIO deployment with support for SSE (Server-Side Encryption) using KES (Key Encryption Service). Defer to the Deploy Distributed MinIO <minio-mnmd> tutorial for guidance on production-ready MinIO deployments.
  2. Use the MinIO Operator Console to create or manage a MinIO Tenant.
  3. Access the Encryption settings for that tenant and configure SSE (Server-Side Encryption) using a supported Key Management System <#supported-kms-targets>.
  4. Create a new EK (External Key) for use with SSE (Server-Side Encryption).
  5. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>.

Baremetal

This procedure provides guidance for deploying MinIO configured to use KES and enable Server Side Encryption <minio-sse-data-encryption>. For instructions on running KES, see the KES docs <tutorials/getting-started/>.

As part of this procedure, you will:

  1. Create a new EK (External Key) for use with SSE (Server-Side Encryption).
  2. Create or modify a MinIO deployment with support for SSE (Server-Side Encryption) using KES (Key Encryption Service). Defer to the Deploy Distributed MinIO <minio-mnmd> tutorial for guidance on production-ready MinIO deployments.
  3. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>

Important

Prerequisites

Access to MinIO Cluster

Kubernetes

You must have access to the Kubernetes cluster, with administrative permissions associated to your kubectl configuration.

This procedure assumes your permission sets extends sufficiently to support deployment or modification of MinIO-associated resources on the Kubernetes cluster, including but not limited to pods, statefulsets, replicasets, deployments, and secrets.

Baremetal

This procedure uses mc for performing operations on the MinIO cluster. Install mc on a machine with network access to the cluster. See the mc Installation Quickstart <mc-install> for instructions on downloading and installing mc.

This procedure assumes a configured alias <mc alias> for the MinIO cluster.

Ensure KES Access to a Supported KMS Target

Kubernetes

This procedure assumes an existing supported KMS installation <#supported-kms-targets> accessible from the Kubernetes cluster.

  • For deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the target KMS service.
  • For deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

Defer to the documentation for your chosen KMS solution for guidance on deployment and configuration.

Baremetal

This procedure assumes an existing KES installation connected to a supported KMS (Key Management System) installation accessible, both accessible from the local host. Refer to the installation instructions for your supported KMS target <#supported-kms-targets> to deploy KES and connect it to a KMS solution.

KES Operations Require Unsealed Target

Some supported KMS (Key Management System) targets allow you to seal or unseal the vault instance. KES returns an error if the configured KMS (Key Management System) service is sealed.

If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. You must unseal the Vault to ensure normal operations.

See the documentation for your chosen KMS (Key Management System) solution for more information on whether unsealing may be required.

Refer to the configuration instruction in the KES documentation <> for your chosen supported KMS (Key Management System):

  • AWS Secrets Manager <integrations/aws-secrets-manager/>
  • Azure KeyVault <integrations/azure-keyvault/>
  • Entrust KeyControl <integrations/entrust-keycontrol/>
  • Fortanix SDKMS <integrations/fortanix-sdkms/>
  • Google Cloud Secret Manager <integrations/google-cloud-secret-manager/>
  • HashiCorp Vault <integrations/hashicorp-vault-keystore/>
  • Thales CipherTrust Manager (formerly Gemalto KeySecure) <integrations/thales-ciphertrust/>

Procedure

This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected supported KMS solution in production environments. Specifically, this procedure assumes the following:

  • An existing production-grade KMS target
  • One or more KES servers connected to the KMS target
  • One or more hosts for a new or existing MinIO deployment

Kubernetes

Baremetal