minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-05-28 00:41:14 +03:00
Code
docs/source/includes/windows/common-minio-kes.rst
Daryl White 6d32ddcaa8
Update for early Dec 22 minio release (#671) 
## Updates for `console` early Dec22 releases

- Updated the instructions for registering for SUBNET from an airgapped
Console environment
- Minor typo in IAM doc.

Closes #664

Two of the items in that issue did not actually impact the docs. One
item is just a screenshot update that will be addressed later.

## Updates for `minio` early Dec22 releases
    
- Adds info about `mc` installed with container images
- Adds new envvar for KES enclaves
    
Closes #665

- Updates `mc support inspect` to correct alias to target in command
syntax
2022-12-28 11:41:23 -06:00

6.3 KiB
Raw Blame History

The following commands creates two TLS certificates that expire within 30 days of creation:

  • A TLS certificate for KES to secure communications between it and the Vault deployment
  • A TLS certificate for MinIO to perform mTLS authentication to KES.

Use Caution in Production Environments

DO NOT use the TLS certificates generated as part of this procedure for any long-term development or production environments.

Defer to organization/industry best practices around TLS certificate generation and management. A complete guide to creating valid certificates (e.g. well-formed, current, and trusted) is beyond the scope of this procedure.

# These commands output the certificates to |kescertpath|

C:\kes.exe identity new \  
  --key  |kescertpath|\kes-server.key \  
  --cert |kescertpath|\kes-server.cert \  
  --ip   "127.0.0.1" \  
  --dns  localhost

C:\kes.exe identity new \  
  --key  |miniocertpath|\minio-kes.key \  
  --cert |miniocertpath|\minio-kes.cert \  
  --ip   "127.0.0.1" \  
  --dns  localhost

The --ip and --dns parameters set the IP and DNS SubjectAlternativeName for the certificate. The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via localhost or 127.0.0.1. You can specify additional IP or Hostnames based on the network configuration of your local host.

Depending on your Vault configuration, you may need to pass the kes-server.cert as a trusted Certificate Authority. See the Hashicorp Server Configuration Documentation for more information. Defer to the client documentation for instructions on trusting a third-party CA.

Download the latest stable release () of KES from github.com/minio/kes <kes/releases/latest>. The following PowerShell command downloads the latest Windows-compatible binary and moves it to the system PATH:

Invoke-WebRequest -Uri "https://github.com/minio/kes/releases/download/|kes-stable|/kes-linux-windows-amd64.exe" -OutFile "C:\kes.exe"

C:\kes.exe --version

Run the following command in a terminal or shell to start the KES server as a foreground process.

C:\kes.exe server --auth --config=|kesconfigpath|\config\kes-config.yaml

Defer to the documentation for your MacOS Operating System version for instructions on running a process in the background.

Run the following command in a terminal or shell to start the MinIO server as a foreground process.

export MINIO_CONFIG_ENV_FILE=|minioconfigpath|\config\minio
C:\minio.exe server --console-address :9090

MinIO requires that the exist on the root KMS before performing operations using that key. Use kes key create or mc admin kms key create to create a new for use with .

The following command uses the kes key create command to create a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=|miniocertpath|\minio-kes.key
export KES_CLIENT_CERT=|miniocertpath|\minio-kes.cert

C:\kes.exe key create -k encrypted-bucket-key

This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable via KES and the root KMS. For instructions on new creating a new deployment, reference the Single-Node Single-Drive <minio-snsd> tutorial.

When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support .

For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.

Add the following lines to the MinIO Environment file on the Windows host. See the tutorials for minio-snsd for more detailed descriptions of a base MinIO environment file.

This command assumes the minio-kes.cert, minio-kes.key, and kes-server.cert certificates are accessible at the specified location:

# Add these environment variables to the existing environment file

MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_CERT_FILE=|miniocertpath|\minio-kes.cert
MINIO_KMS_KES_KEY_FILE=|miniocertpath|\minio-kes.key
MINIO_KMS_KES_CAPATH=|miniocertpath|\kes-server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
MINIO_KMS_KES_ENCLAVE=<name>

MinIO uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:

  • Encrypting the MinIO backend (IAM, configuration, etc.)
  • Encrypting objects using SSE-KMS <minio-encryption-sse-kms> if the request does not include a specific .
  • Encrypting objects using SSE-S3 <minio-encryption-sse-s3>.

MinIO uses the MINIO_KMS_KES_ENCLAVE key to define the name of the KES enclave to use for stateful KES servers.

  • Replace <name> with the name of the enclave to use.

  • If not defined, MinIO does not send any enclave information. This may result in using the default enclave for stateful KES servers.

    A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server.

The minio-kes certificates enable mTLS between the MinIO deployment and the KES server only. They do not otherwise enable TLS for other client connections to MinIO.