cb2aa233a0
This PR simplifies the management of KMS integrations by removing the detailed documentation and linking out to the KES docs site instead. There should be no mention of any specific KMS target. Each OS/platform should have references to the correct paths, OS, and the like. This completes work started on the KES docs side in https://github.com/minio/kes-docs/pull/48. Staged: - [Linux](http://192.241.195.202:9000/staging/ssekms/linux/operations/server-side-encryption/configure-minio-kes.html) - [Windows](http://192.241.195.202:9000/staging/ssekms/windows/operations/server-side-encryption/configure-minio-kes.html) - [Kubernetes](http://192.241.195.202:9000/staging/ssekms/k8s/operations/server-side-encryption/configure-minio-kes.html) - [Containers](http://192.241.195.202:9000/staging/ssekms/container/operations/server-side-encryption/configure-minio-kes.html) - [MacOS](http://192.241.195.202:9000/staging/ssekms/macos/operations/server-side-encryption/configure-minio-kes.html)
4.4 KiB
Deploy MinIO and KES with Server-Side Encryption
Prior to starting these steps, create the following folders:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|For Windows hosts, substitute the paths with Windows-style paths,
e.g. C:\minio-kes-vault\.
Prerequisite
Depending on your chosen supported KMS target <#supported-kms-targets>
configuration, you may need to pass the kes-server.cert as
a trusted Certificate Authority (CA). Defer to the client documentation
for instructions on trusting a third-party CA.
1) Create the KES and MinIO Configurations
Create the KES Configuration File
Create the configuration file using your preferred text editor. The following example uses
nano:nano |kesconfigpath|/kes-config.yamlSet
MINIO_IDENTITY_HASHto the identity hash of the MinIO mTLS certificate.The following command computes the necessary hash:
podman run --rm \ -v |kescertpath|/certs:/certs \ kes:|kes-stable| tool identity of /certs/minio-kes.certRefer to the instructions for setting up KES for your
supported KMS solution <#kes-supported-targets>for additional variables to define specific to your chosen KMS target.
Create the MinIO Environment File
Create the environment file using your preferred text editor. The following example uses
nano:nano |minioconfigpath|/minio
2) Create Pod and Containers
3) Generate a New Encryption Key
4) Enable SSE-KMS for a Bucket
You can use either the MinIO Console or the MinIO mc CLI to enable
bucket-default SSE-KMS with the generated key:
MinIO Console
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.
Once logged in, create a new Bucket and name it to your preference.
Select the Gear gear icon to open the management view.
Select the pencil pencil icon next to the Encryption field to open
the modal for configuring a bucket default SSE scheme.
Select SSE-KMS,
then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.
MinIO CLI
The following commands:
- Create a new
alias <alias>for the MinIO deployment - Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucketWrite a file to the bucket using mc cp or any S3-compatible SDK with a
PutObject function. You can then run mc stat on the file to confirm
the associated encryption metadata.