Skip to content

Getting Started

Jump to bottom
Andreas Auernhammer edited this page Dec 12, 2019 · 32 revisions

1. Install Keys

Either download the latest release for:

Or build and install it from source:
GO111MODULE=on go get github.com/minio/keys/cmd/key

You will need a working Go environment. Therefore, please follow How to install Go. Minimum version required is go1.13.

2. Setup a key server

  1. Generate a TLS private key and certificate for the key server. For now we use self-signed certificates. For production use cases you must use a certificate issued by a CA.
    • openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
    • openssl req -new -x509 -days 365 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost"
  2. Create the root identity:
    key tool identity new --key="root.key" --cert="root.cert" root
  3. Switch to a new terminal window and start the key server: 
    key server \
    --mtls-auth=ignore \
    --tls-key="server.key" \
    --tls-cert="server.cert" \
    --root $(key tool identity of root.cert)

3. Use the Client CLI

  1. Switch back to the previous terminal window to set the following environment variables:
    • export KEY_CLIENT_TLS_KEY_FILE=root.key
    • export KEY_CLIENT_TLS_CERT_FILE=root.cert
  2. Now, can you talk to the server and e.g. create a new master key (named my-key):
    key create my-key -k
  3. This key can now be used to derive unique encryption keys for your applications:
    key derive my-key -k 
    {
  plaintext : ...
  ciphertext: ...
}
    The plaintext is a base64-encoded 256 bit key. The ciphertext is the plaintext key encrypted with my-key at the server.
  4. Decrypt the ciphertext and get back the original plaintext key:
    key decrypt my-key -k <base64-ciphertext>

For more CLI commands see:

key --help
usage: key <command>

    server               Start a key server.

    create               Create a new master key at a key server.
    delete               Delete a master key from a key server.

    derive               Derives a new data key from a master key.
    decrypt              Decrypt a encrypted data key using a master key.

    identity             Assign policies to identities.
    policy               Manage the key server policies.

    tool                 Run specific key and identity management tools.

  -h, --help             Show this list of command line options.

Note: You just started a key server with a non-persistent in-memory key store. Therefore, by restarting the server all keys created in between will be destroyed. For durable key stores take a look at the toml or yaml config file - or take a look at the Hashicorp Vault guide.

Clone this wiki locally