KES Environment Variables
This page contains a list of the environment variables available for configuring the MinIO Key Encryption Service.
The endpoint for the MinIO Key Encryption Service (KES) process to use for supporting SSE-S3 and MinIO backend encryption operations.
By default, KES binds to port
7373 on all network interfaces.
The private key associated to the the
MINIO_KMS_KES_CERT_FILE x.509 certificate to use when authenticating to the KES server.
The KES server requires clients to present their certificate for performing mutual TLS (mTLS).
The x.509 certificate to present to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).
The KES server computes an identity from the certificate and compares it to its configured policies. The KES server grants the MinIO server access to only those operations explicitly granted by the policy.
The name of an external key on the Key Management system (KMS) configured on the KES server and used for performing en/decryption operations. MinIO uses this key for the following:
- Encrypting backend data ( IAM, server configuration).
- The default encryption key for Server-Side Encryption with SSE-KMS.
- The encryption key for Server-Side Encryption with SSE-S3.
Use this optional environment variable to define the name of a KES enclave. A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server.
If not set, MinIO does not send enclave information. For a stateful KES server, this results in using the default enclave.