docs/source/includes/windows/steps-configure-minio-kes-hashicorp.rst

Deploy MinIO and KES with Server-Side Encryption using Hashicorp Vault

Prior to starting these steps, create the following folders:

New-Item -Path "|kescertpath|" -ItemType "directory"
New-Item -Path "|kesconfigpath|" -ItemType "directory"
New-Item -Path "|miniodatapath|" -ItemType "directory"

1) Download KES for Windows

2) Generate TLS Certificates for KES and MinIO

Depending on your Vault configuration, you may need to pass the kes-server.cert as a trusted Certificate Authority. See the Hashicorp Vault Configuration Docs for more information. Defer to the client documentation for instructions on trusting a third-party CA.

3) Create the KES and MinIO Configurations

1. Create the KES Configuration File

   Create the configuration file using your preferred text editor. The following example uses the Windows Notepad program:

   notepad |kesconfigpath|\kes-config.yaml

   • Set MINIO_IDENTITY_HASH to the identity hash of the MinIO mTLS certificate.

     The following command computes the necessary hash:

     kes.exe tool identity of |miniocertpath|/minio-kes.cert

   • Replace the REGION with the appropriate region for AWS Secrets Manager. The value must match for both endpoint and region.

   • Set AWSACCESSKEY and AWSSECRETKEY to the appropriate AWS Credentials <minio-sse-aws-prereq-aws>.

2. Create the MinIO Environment File

   Create the environment file using your preferred text editor. The following example uses the Windows Notepad program:

   notepad |minioconfigpath|\minio

4) Start KES and MinIO

You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.

1. Start the KES Server
2. Start the MinIO Server

5) Generate a New Encryption Key

6) Enable SSE-KMS for a Bucket