-
Notifications
You must be signed in to change notification settings - Fork 98
MinIO Object Storage
This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.
βββββββββββββββββββββββββββββββββββββββββ
β βββββββββββββ ββββββββββββββ β βββββββββββ
β β MinIO ββββββββββββ€ KES Server βββ«βββββββββ€ KMS β
β βββββββββββββ ββββββββββββββ β βββββββββββ
βββββββββββββββββββββββββββββββββββββββββ
Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported KMS implementation that meets your requirements.
1. Generate KES Server Private Key & Certificate
First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity.
The following command generates a new TLS private key (private.key
) and
a self-signed X.509 certificate (public.crt
) issued for the IP 127.0.0.1
and DNS name localhost
:
$ kes identity new --ip "127.0.0.1" --cert=public.crt --key=private.key localhost
Private key: private.key
Certificate: public.crt
Identity: 2e897f99a779cf5dd147e58de0fe55a494f546f4dcae8bc9e5426d2b5cd35680
If you already have a TLS private key & certificate - e.g. from a WebPKI or internal CA - you can use them instead. Remember to adjust the
tls
config section later on.
2. Generate MinIO Credentials
MinIO needs some credentials to access the KES server. The following command generates a new TLS private/public key pair:
$ kes identity new --key=client.key --cert=client.crt MinIO
Private key: client.key
Certificate: client.crt
Identity: 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b
The identity 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b
is an unique fingerprint of the public key in client.crt
and you can re-compute
it anytime:
$ kes identity of client.crt
Identity: 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b
3. Configure KES Server
Next, we can create the KES server configuration file: config.yml
.
Please, make sure that the identity in the policy section matches
your client.crt
identity.
address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373
admin:
identity: disabled # We disable the admin identity since we don't need it in this guide
tls:
key: private.key # The KES server TLS private key
cert: public.crt # The KES server TLS certificate
policy:
my-app:
allow:
- /v1/key/create/minio-*
- /v1/key/generate/minio-*
- /v1/key/decrypt/minio-*
identities:
- 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # Use the identity of your client.crt
keystore:
fs:
path: ./keys # Choose a directory for the secret keys
4. Start KES Server
Now, we can start a KES server instance:
$ kes server --config config.yml --auth off
On linux, KES can use the
mlock
syscall to prevent the OS from writing in-memory data to disk (swapping). This prevents leaking senstive data accidentality. The following command allows KES to use the mlock syscall without running with root privileges:$ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which kes))
Then, we can start a KES server instance with memory protection:
$ kes server --config config.yml --auth off --mlock
1. Install MinIO
You can either download a static binary or follow the MinIO Quickstart Guide.
2. Set MINIO_KMS_KES_ENDPOINT
MinIO needs to know to which KES server it should talk to:
export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
3. Set MinIO Client Credentials
Further, MinIO needs some access credentials to talk to a KES server. Either an API key:
export MINIO_KMS_KES_API_KEY=<your-key>
or a TLS private key and client certificate:
export MINIO_KMS_KES_CERT_FILE=client.crt
export MINIO_KMS_KES_KEY_FILE=client.key
4. Set MinIO Default Key
MinIO needs a default key that it will use if its S3 client does not specify an encryption key.
export MINIO_KMS_KES_KEY_NAME=minio-default-key
MinIO will create this key automatically if it doesn't exist.
5. Trust the KES Server Certificate
When using self-signed certificates, MinIO cannot verify the the KES server certificate. Therefore, we establish the trust relationship manually.
export MINIO_KMS_KES_CAPATH=public.crt
Here,
public.crt
is the public certificate of the KES server.
This step is optional if the KES server uses a certificate issued by a trusted CA.
6. Start MinIO Server
First, set the MinIO root credentials:
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
Then, start MinIO:
minio server /data
You can enable server-side encryption on a specific bucket using the
PutBucketEncryption
S3 API.
This can be done quite easily with mc
.
1. Create Key
First, create a new key for your bucket. For example:
mc admin kms key create <alias> minio-my-bucket
Use your MinIO server alias.
2. Configure Bucket
Then, add a server-side encryption configuration to your bucket. For example:
mc encrypt set sse-kms minio-my-bucket <alias>/my-bucket
Use your MinIO server alias.