kes server


The :mc:kes server command starts a MinIO Key Encryption Server (KES) server. The :mc:kes server handles requests for creating and retrieving cryptography keys from a supported Key Management System (KMS). KES is a required component for enabling Server-Side Object Encryption in MinIO deployments.

Defaults to using unless specified in the config file or the --addr parameter.


kes server              \
    --addr <IP:PORT>    \
    --config <path>     \
    --key <path>        \
    --cert <path>       \



The IP address and port to use for the server.

If not specified, the default value is


Controls how the server handles mTLS authentication.

By default, the server requires a client certificate and verifies that certificate has been issued by a trusted certificate authority.

  • Require a certificate and verify its validity: --auth=on (default)
  • Require a certificate, but do not verity its validity --auth=off

If turned off, the client accepts arbitrary certificates, but continues to map them to policies. This disables authentication, but does not disable authorization.

Disable auth only in testing environments.


Path to the TLS certificate.

If also present in the specified config file, the cert entered here takes precedence.


Path to the YAML-formatted config file to use for the KES server.


Path to the KES server private key that corresponds to the X.509 server certificate.

If also present in the specified config file, the key entered here takes precedence.


kes server --config config.yml --auth=off