-
Notifications
You must be signed in to change notification settings - Fork 98
MinIO Object Storage
This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.
╔═══════════════════════════════════════╗
║ ┌───────────┐ ┌────────────┐ ║ ┌─────────┐
║ │ MinIO ├──────────┤ KES Server ├─╫────────┤ KMS │
║ └───────────┘ └────────────┘ ║ └─────────┘
╚═══════════════════════════════════════╝
Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported KMS implementation that meets your requirements.
1. Generate KES Server Private Key & Certificate
First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity.
The following command generates a new TLS private key (private.key) and
a self-signed X.509 certificate (public.crt) issued for the IP 127.0.0.1
and DNS name localhost:
$ kes identity new --ip "127.0.0.1" --cert=public.crt --key=private.key localhost
Private key: private.key
Certificate: public.crt
Identity: 2e897f99a779cf5dd147e58de0fe55a494f546f4dcae8bc9e5426d2b5cd35680If you already have a TLS private key & certificate - e.g. from a WebPKI or internal CA - you can use them instead. Remember to adjust the
tlsconfig section later on.
2. Generate MinIO Credentials
MinIO needs some credentials to access the KES server. The following command generates a new TLS private/public key pair:
$ kes identity new --key=client.key --cert=client.crt MinIO
Private key: client.key
Certificate: client.crt
Identity: 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267bThe identity 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b
is an unique fingerprint of the public key in client.crt and you can re-compute
it anytime:
$ kes identity of client.crt
Identity: 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b3. Configure KES Server
Next, we can create the KES server configuration file: config.yml.
Please, make sure that the identity in the policy section matches
your client.crt identity.
address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373
admin:
identity: disabled # We disable the admin identity since we don't need it in this guide
tls:
key: private.key # The KES server TLS private key
cert: public.crt # The KES server TLS certificate
policy:
my-app:
allow:
- /v1/key/create/minio-*
- /v1/key/generate/minio-*
- /v1/key/decrypt/minio-*
identities:
- 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # Use the identity of your client.crt
keystore:
fs:
path: ./keys # Choose a directory for the secret keys4. Start KES Server
Now, we can start a KES server instance:
$ kes server --config config.yml --auth off
On linux, KES can use the
mlocksyscall to prevent the OS from writing in-memory data to disk (swapping). This prevents leaking senstive data accidentality. The following command allows KES to use the mlock syscall without running with root privileges:$ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which kes))Then, we can start a KES server instance with memory protection:
$ kes server --config config.yml --auth off --mlock
1. Install MinIO
You can either download a static binary or follow the MinIO Quickstart Guide.
2. Set MINIO_KMS_KES_ENDPOINT
MinIO needs to know to which KES server it should talk to:
export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:73733. Set MinIO Client Credentials
Further, MinIO needs some access credentials to talk to a KES server. Either an API key:
export MINIO_KMS_KES_API_KEY=<your-key>or a TLS private key and client certificate:
export MINIO_KMS_KES_CERT_FILE=client.crtexport MINIO_KMS_KES_KEY_FILE=client.key4. Set MinIO Default Key
MinIO needs a default key that it will use if its S3 client does not specify an encryption key.
export MINIO_KMS_KES_KEY_NAME=minio-default-keyMinIO will create this key automatically if it doesn't exist.
5. Trust the KES Server Certificate
When using self-signed certificates, MinIO cannot verify the the KES server certificate. Therefore, we establish the trust relationship manually.
export MINIO_KMS_KES_CAPATH=public.crtHere,
public.crtis the public certificate of the KES server.
This step is optional if the KES server uses a certificate issued by a trusted CA.
6. Start MinIO Server
First, set the MinIO root credentials:
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123Then, start MinIO:
minio server /dataYou can enable server-side encryption on a specific bucket using the
PutBucketEncryption S3 API.
This can be done quite easily with mc.
1. Create Key
First, create a new key for your bucket. For example:
mc admin kms key create <alias> minio-my-bucketUse your MinIO server alias.
2. Configure Bucket
Then, add a server-side encryption configuration to your bucket. For example:
mc encrypt set sse-kms minio-my-bucket <alias>/my-bucketUse your MinIO server alias.