minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-05-28 00:41:14 +03:00
Code
docs/source/includes/container/steps-configure-minio-kes-hashicorp.rst
Ravind Kumar 40cd778e5b
Completion of SSE-KMS doc rewrite (#539)
2022-09-06 17:38:08 -04:00

4.8 KiB
Raw Blame History

(Podman) Deploy MinIO and KES with Server-Side Encryption using Hashicorp Key Vault

Prior to starting these steps, create the following folders:

mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|

For Windows hosts, substitute the paths with Windows-style paths, e.g. C:\minio-kes-vault\.

1) Generate TLS Certificates for KES and MinIO

Depending on your Vault configuration, you may need to pass the kes-server.cert as a trusted Certificate Authority. See the Hashicorp Vault Configuration Docs for more information. Defer to the client documentation for instructions on trusting a third-party CA.

2) Create the KES and MinIO Configurations

  1. Create the KES Configuration File

    Create the configuration file using your preferred text editor. The following example uses nano:

    nano |kesconfigpath|/kes-config.yaml

    • Set MINIO_IDENTITY_HASH to the identity hash of the MinIO mTLS certificate.

      The following command computes the necessary hash:

      podman run --rm                                             \
   -v |kescertpath|/certs:/certs                                \
   kes:|kes-stable| tool identity of /certs/minio-kes.cert

    • Replace the vault.endpoint with the hostname of the Vault server(s).

    • Replace the VAULTAPPID and VAULTAPPSECRET with the appropriate Vault AppRole credentials <minio-sse-vault-prereq-vault>.

  2. Create the MinIO Environment File

    Create the environment file using your preferred text editor. The following example uses nano:

    nano |minioconfigpath|/minio

3) Create Pod and Containers

4) Generate a New Encryption Key

5) Enable SSE-KMS for a Bucket

You can use either the MinIO Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

MinIO Console

Open the MinIO Console by navigating to http://127.0.0.1:9090 in your preferred browser and logging in with the root credentials specified to the MinIO container.

Once logged in, create a new Bucket and name it to your preference. Select the Gear gear icon to open the management view.

Select the pencil pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.

MinIO CLI

The following commands:

  • Create a new alias <alias> for the MinIO deployment
  • Create a new bucket for storing encrypted data
  • Enable SSE-KMS encryption on that bucket
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD

mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.