minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-05-28 00:41:14 +03:00
Code
docs/source/includes/linux/steps-configure-minio-kes-hashicorp.rst

5.7 KiB
Raw Blame History

Enable Server-Side Encryption using Hashicorp Vault in Production Environments

This procedure provides instructions for configuring and enabling Server-Side Encryption using Hashicorp Vault in production environments. Specifically, this procedure assumes the following:

  • An existing production-grade Vault deployment
  • One or more hosts for deploying KES
  • One or more hosts for a new or existing MinIO deployment

Set Up Folder Hierarchy

Create the following folders on the KES and MinIO host machines if they do not already exist:

KES Hosts

mkdir -P |kescertpath|
mkdir -P |kesconfigpath|

MinIO Hosts

mkdir -P |miniocertpath|

This procedure uses these paths in the following steps. If you use different paths, make the necessary modifications for each step to reflect those changes

1) Download KES and Create the Service File

  1. Download KES
  2. Create the Service File

2) Generate TLS Certificates for KES and MinIO

Depending on your Vault configuration, you may also need to specify the CA used to sign the KES certificates to the Vault server. See the Hashicorp Vault Configuration Docs for more information. Defer to the client documentation for instructions on trusting a third-party CA.

3) Create the KES and MinIO Configurations

Important

Starting with RELEASE.2023-02-17T17-52-43Z, MinIO requires expanded KES permissions for functionality. The example configuration in this section contains all required permissions.

  1. Create the KES Configuration File

    Create the configuration file using your preferred text editor. The following example uses nano:

    nano /opt/kes/config.yaml

    • Set MINIO_IDENTITY_HASH to the identity hash of the MinIO mTLS certificate.

      The following command computes the necessary hash:

      kes identity of |miniocertpath|/minio-kes.cert

    • Replace the keystore.vault.endpoint with the hostname of the Vault server(s).

    • Replace keystore.vault.engine and keystore.vault.version with the path and version of the KV engine used for storing secrets.

    • Replace the VAULTAPPID and VAULTAPPSECRET with the appropriate Vault AppRole credentials <minio-sse-vault-prereq-vault>.

    • Modify the keystore.vault.tls.ca value to correspond to the path to the Vault CA (Certificate Authority) certificate used to sign the Vault TLS keys.

  2. Configure the MinIO Environment File

    Modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables.

    MinIO defaults to expecting this file at /etc/default/minio. If you modified your deployment to use a different location for the environment file, modify the file at that location.

4) Start KES and MinIO

You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.

This step uses systemd for starting and managing both the KES and MinIO server processes:

  1. Start the KES Service on All Hosts
  2. Start the MinIO Server

5) Generate a New Encryption Key

6) Enable SSE-KMS for a Bucket