KES Environment Variables

This page contains a list of the environment variables available for configuring the MinIO Key Encryption Service.

The endpoint for the MinIO Key Encryption Service (KES) process to use for supporting SSE-S3 and MinIO backend encryption operations. By default, KES binds to port 7373 on all network interfaces.

The private key associated to the the MINIO_KMS_KES_CERT_FILE x.509 certificate to use when authenticating to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

The x.509 certificate to present to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

The KES server computes an identity from the certificate and compares it to its configured policies. The KES server grants the MinIO server access to only those operations explicitly granted by the policy.

The name of an external key on the Key Management system (KMS) configured on the KES server and used for performing en/decryption operations. MinIO uses this key for the following:

• Encrypting backend data ( IAM, server configuration).
• The default encryption key for Server-Side Encryption with SSE-KMS.
• The encryption key for Server-Side Encryption with SSE-S3.