minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-12-07 08:22:13 +03:00
Code Activity
Files
bfdb0c00d9b2955b29fe1aa439475ebf924cfe54
docs/source/operations/server-side-encryption/configure-minio-kes.rst
Daryl White bc261ad8bb Updating links for new docs subdomain (#1494) 
Docs have moved from min.io/docs to docs.min.io/commuinity.

This fixes hard, external links to use the new subdomain.

Note that some of these files are automatically pulled from elsewhere as
part of the build process, so some may not carry through even after this
PR merges.
2025-08-12 17:20:53 -04:00

6.7 KiB
Raw Blame History

Server-Side Object Encryption with KES

minio

Table of Contents

Kubernetes

This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. For instructions on running KES, see the KES docs <tutorials/getting-started/>.

As part of this procedure, you will:

  1. Create or modify a MinIO deployment with support for SSE (Server-Side Encryption) using KES (Key Encryption Service). Defer to the Deploy Distributed MinIO <minio-mnmd> tutorial for guidance on production-ready MinIO deployments.
  2. Use the MinIO Operator Console to create or manage a MinIO Tenant.
  3. Access the Encryption settings for that tenant and configure SSE (Server-Side Encryption) using a supported Key Management System <#supported-kms-targets>.
  4. Create a new EK (External Key) for use with SSE (Server-Side Encryption).
  5. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>.

Baremetal

This procedure provides guidance for deploying MinIO configured to use KES and enable Server Side Encryption <minio-sse-data-encryption>. For instructions on running KES, see the KES docs <tutorials/getting-started/>.

As part of this procedure, you will:

  1. Create a new EK (External Key) for use with SSE (Server-Side Encryption).
  2. Create or modify a MinIO deployment with support for SSE (Server-Side Encryption) using KES (Key Encryption Service). Defer to the Deploy Distributed MinIO <minio-mnmd> tutorial for guidance on production-ready MinIO deployments.
  3. Configure automatic bucket-default SSE-KMS <minio-encryption-sse-kms>

Important

Prerequisites

Access to MinIO Cluster

Kubernetes

You must have access to the Kubernetes cluster, with administrative permissions associated to your kubectl configuration.

This procedure assumes your permission sets extends sufficiently to support deployment or modification of MinIO-associated resources on the Kubernetes cluster, including but not limited to pods, statefulsets, replicasets, deployments, and secrets.

Baremetal

This procedure uses mc for performing operations on the MinIO cluster. Install mc on a machine with network access to the cluster. See the mc Installation Quickstart <mc-install> for instructions on downloading and installing mc.

This procedure assumes a configured alias <mc alias> for the MinIO cluster.

Ensure KES Access to a Supported KMS Target

Kubernetes

This procedure assumes an existing supported KMS installation <#supported-kms-targets> accessible from the Kubernetes cluster.

  • For deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the target KMS service.
  • For deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

Defer to the documentation for your chosen KMS solution for guidance on deployment and configuration.

Baremetal

This procedure assumes an existing KES installation connected to a supported KMS (Key Management System) installation accessible, both accessible from the local host. Refer to the installation instructions for your supported KMS target <#supported-kms-targets> to deploy KES and connect it to a KMS solution.

KES Operations Require Unsealed Target

Some supported KMS (Key Management System) targets allow you to seal or unseal the vault instance. KES returns an error if the configured KMS (Key Management System) service is sealed.

If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. You must unseal the Vault to ensure normal operations.

See the documentation for your chosen KMS (Key Management System) solution for more information on whether unsealing may be required.

Refer to the configuration instruction in the KES documentation <> for your chosen supported KMS (Key Management System):

  • AWS Secrets Manager <integrations/aws-secrets-manager/>
  • Azure KeyVault <integrations/azure-keyvault/>
  • Entrust KeyControl <integrations/entrust-keycontrol/>
  • Fortanix SDKMS <integrations/fortanix-sdkms/>
  • Google Cloud Secret Manager <integrations/google-cloud-secret-manager/>
  • HashiCorp Vault <integrations/hashicorp-vault-keystore/>
  • Thales CipherTrust Manager (formerly Gemalto KeySecure) <integrations/thales-ciphertrust/>

Procedure

This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected supported KMS solution in production environments. Specifically, this procedure assumes the following:

  • An existing production-grade KMS target
  • One or more KES servers connected to the KMS target
  • One or more hosts for a new or existing MinIO deployment

Kubernetes

Baremetal

View Git Blame Copy Permalink