-
Notifications
You must be signed in to change notification settings - Fork 98
Getting Started
Andreas Auernhammer edited this page Dec 12, 2019
·
32 revisions
Either download the latest release for:
Or build and install it from source:
GO111MODULE=on go get github.com/minio/keys/cmd/key
You will need a working Go environment. Therefore, please follow How to install Go. Minimum version required is go1.13.
- Generate a TLS private key and certificate for the key server. For now we use self-signed
certificates. For production use cases you must use a certificate issued by a CA.
openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
openssl req -new -x509 -days 365 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost"
- Create the root identity:
key tool identity new --key="root.key" --cert="root.cert" root
- Switch to a new terminal window and start the key server:
key server \ --mtls-auth=ignore \ --tls-key="server.key" \ --tls-cert="server.cert" \ --root $(key tool identity of root.cert)
- Switch back to the previous terminal window to set the following environment variables:
export KEY_CLIENT_TLS_KEY_FILE=root.key
export KEY_CLIENT_TLS_CERT_FILE=root.cert
- Now, can you talk to the server and e.g. create a new master key (named my-key):
key create my-key -k
- This key can now be used to derive unique encryption keys for your applications:
key derive my-key -k
The plaintext is a base64-encoded 256 bit key. The ciphertext is the plaintext key encrypted with{ plaintext : ... ciphertext: ... }
my-key
at the server. - Decrypt the ciphertext and get back the original plaintext key:
key decrypt my-key -k <base64-ciphertext>
For more CLI commands see:
key --help
usage: key <command>
server Start a key server.
create Create a new master key at a key server.
delete Delete a master key from a key server.
derive Derives a new data key from a master key.
decrypt Decrypt a encrypted data key using a master key.
identity Assign policies to identities.
policy Manage the key server policies.
tool Run specific key and identity management tools.
-h, --help Show this list of command line options.
Note: You just started a key server with a non-persistent in-memory key store. Therefore, by restarting the server all keys created in between will be destroyed. For durable key stores take a look at the toml or yaml config file - or take a look at the Hashicorp Vault guide.