Documentation

kes key dek

Overview

Generate a new data encryption key (DEK) from a secret key on the KES server.

The output of the command includes both a plaintext key and a ciphertext representation. The output resembles the following:

plaintext:  kk/+NxO1LHb9ilbai7B9qo60649zNPmSVuJ2akEJFQ4=
ciphertext: lbFBRVMyNTYtR0NNX1NIQTI1NtkgMTRlYjE3YWVjMTBjZDMxYTZiYzAwNmJhODFkNjM1ODnEEKOclQFBMYNZ3dVJPCrldAHEDLkZD9YgLpFW77+8b8Qw7Tn/6tFhyYUoFzS4+jYv8ty/Y5bqKzU6lPUEq/O8xEnYs92wEyvdSfTpTDEH8a8Q

To encrypt or decrypt the keys, use kes key encrypt or kes key decrypt.

Avoid storing the plaintext value of a DEK on disk, as it allows decryption of data without requiring access to the secret key used to generate the DEK.

Syntax 

key key dek
        <name>                  \
        [<context>]             \
        [--insecure, -k]

Parameters

name

Required

The short identifier for the key to use for the data encryption key.

context

Optional

The context value to scope the request for a data encryption key.

You create contexts in the kubeconfig file of a Kubernetes deployment to define a set of cluster, namespace, and user configuration to use.

--insecure, -k

Optional

Directs the command to skip x.509 certificate validation during the TLS handshake with the KES server. This allows connections to KES servers using untrusted certificates (i.e. self-signed or issued by an unknown Certificate Authority).

MinIO strongly recommends against using this option in production environments.

Examples 

kes key dek my-key