KES Environment Variables

This page contains a list of the environment variables available for configuring the MinIO Key Encryption Service.

MINIO_KMS_KES_ENDPOINT

The endpoint for the MinIO Key Encryption Service (KES) process to use for supporting SSE-S3 and MinIO backend encryption operations. By default, KES binds to port 7373 on all network interfaces.

MINIO_KMS_KES_KEY_FILE

The private key associated to the the MINIO_KMS_KES_CERT_FILE x.509 certificate to use when authenticating to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

MINIO_KMS_KES_CERT_FILE

The x.509 certificate to present to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

The KES server computes an identity from the certificate and compares it to its configured policies. The KES server grants the MinIO server access to only those operations explicitly granted by the policy.

MINIO_KMS_KES_KEY_NAME

The name of an external key on the Key Management system (KMS) configured on the KES server and used for performing en/decryption operations. MinIO uses this key for the following:

  • Encrypting backend data ( IAM, server configuration).
  • The default encryption key for Server-Side Encryption with SSE-KMS.
  • The encryption key for Server-Side Encryption with SSE-S3.

MINIO_KMS_KES_ENCLAVE

Use this optional environment variable to define the name of a KES enclave. A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server.

If not set, MinIO does not send enclave information. For a stateful KES server, this results in using the default enclave.