Server-Side Object Encryption with GCP Secret Manager Root KMS

MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.

MinIO SSE uses Key Encryption Service (KES) and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale. The root KMS provides stateful and secured storage of External Keys (EK) while KES is stateless and derives additional cryptographic keys from the root-managed EK.

This procedure assumes a single host machine running the MinIO and KES containers. As part of this procedure, you will:

Deploy a KES container configured to use GCP Secret Manager as the root KMS.
Create a new EK on Vault for use with SSE.
Deploy a MinIO Server container in Single-Node Single-Drive mode configured to use the KES container for supporting SSE.
Configure automatic bucket-default SSE-KMS.

For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE enabled and configured for use with GCP Secret Manager.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and GCP Secret Manager.

Important

Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the root KMS to decrypt the backend and start normally. You cannot disable KES later or “undo” the SSE configuration at a later point.

Prerequisites

GCP Secret Manager

This procedure assumes familiarity with GCP Secret Manager. The Secret Manager Quickstart provides a sufficient foundation for the purposes of this procedure.

MinIO specifically requires the following GCP settings or configurations:

Enable Secret Manager in the project.
Create a new GCP Service Account for supporting KES. Ensure the user has a role with at minimum the following permissions:
```
secretmanager.secrets.create
secretmanager.secrets.delete
secretmanager.secrets.get
```
The Secret manager Admin role meets the minimum required permissions.

GCP should return a set of credentials associated to the new access keys, including private keys. Copy these credentials to a safe and secure location for use with this procedure.

Install Podman or a Similar Container Management Interface

This procedure assumes you have a working Podman installation configured to run in “Rootfull” mode.

“Rootless” modes may not provide sufficient permissions to run KES with the necessary security settings. See the relevant “rootless” documentation for more information.

(Podman) Deploy MinIO and KES with Server-Side Encryption using GCP Secrets Manager

Prior to starting these steps, create the following folders:

mkdir -P ~/minio-kes-gcp/certs
mkdir -P ~/minio-kes-gcp/config
mkdir -P ~/minio-kes-gcp/minio

For Windows hosts, substitute the paths with Windows-style paths, e.g. C:\minio-kes-vault\.

1) Generate TLS Certificates for KES and MinIO

The following commands create two TLS certificates that expire within 30 days of creation:

A TLS certificate for KES to secure communications between it and the Google Cloud Platform Secret Manager service.
A TLS certificate for MinIO to perform mTLS authentication to KES.

Use Caution in Production Environments

DO NOT use the TLS certificates generated as part of this procedure for any long-term development or production environments.

Defer to organization/industry best practices around TLS certificate generation and management. A complete guide to creating valid certificates (e.g. well-formed, current, and trusted) is beyond the scope of this procedure.

# These commands output keys to ~/minio-kes-gcp/certs and ~/minio-kes-gcp/certs on the host operating system

podman run --rm  \
  -v ~/minio-kes-gcp/certs:/certs  \
  quay.io/minio/kes:2024-01-11T13-09-29Z identity new  kes_server \
    --key  /certs/kes-server.key  \
    --cert /certs/kes-server.cert  \
    kes-server

podman run --rm  \
  -v ~/minio-kes-gcp/certs:/certs  \
  quay.io/minio/kes:2024-01-11T13-09-29Z identity new minio_server \
    --key  /certs/minio-kes.key  \
    --cert /certs/minio-kes.cert  \
    minio-server

Depending on your Vault configuration, you may need to pass the kes-server.cert as a trusted Certificate Authority. See the Hashicorp Vault Configuration Docs for more information. Defer to the client documentation for instructions on trusting a third-party CA.

2) Create the KES and MinIO Configurations

Create the KES Configuration File

Create the configuration file using your preferred text editor. The following example uses nano:

nano ~/minio-kes-gcp/config/kes-config.yaml

KES uses a YAML-formatted configuration file. The following YAML provides the minimum required fields for using Hashicorp Vault as the root KMS. You must modify this YAML to reflect your deployment environment.

address: 0.0.0.0:7373

# Disable the root administrator identity, as we do not need that level of access for
# supporting SSE operations.
admin:
  identity: disabled

# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted Certificate Authority (CA).
tls:
  key:  /certs/kes-server.key
  cert: /certs/kes-server.cert

  # Specify the path to CAs used by KES for validating client certificates
  # This can alternatively be a single CA
  # KES uses these CAs in addition to the system trust store for validating client certificates.

  ca: /certs/CAs/

# Sets access policies for KES
# The `minio` policy grants access to the listed APIs.
policy:
  minio:
    allow:
    - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
    - /v1/key/generate/* # e.g. '/minio-'
    - /v1/key/decrypt/*
    - /v1/key/bulk/decrypt
    - /v1/key/list/*
    - /v1/status
    - /v1/metrics
    - /v1/log/audit
    - /v1/log/error
    identities:
    - MINIO_API_KEY_HASH # Replace with the hash output returned from kes identity new

# Specify the connection information for the Vault server.
# The endpoint should be resolvable from the host.
# This example assumes that Vault is configured with an AppRole ID and
# Secret for use with KES.
keystore:
  vault:
    endpoint: https://HOSTNAME:8200
    engine: "/path/to/engine" # Replace with the path to the K/V Engine
    version: "v1|v2" # Specify v1 or v2 depending on the version of the K/V Engine
    approle:
      id: "VAULTAPPID"     # Hashicorp Vault AppRole ID
      secret: "VAULTAPPSECRET" # Hashicorp Vault AppRole Secret ID
      retry: 15s
    status:
      ping: 10s
    # Required if Vault uses certificates signed by an unknown CA,
    # e.g. self-signed or internal (non-globally trusted).
    # Replace this value with the full path to the Vault CA certificate.
    tls:
      ca: vault-tls-CA.cert

Set MINIO_IDENTITY_HASH to the identity hash of the MinIO mTLS certificate.

The following command computes the necessary hash:

podman run --rm                                             \
   -v ~/minio-kes-gcp/certs/certs:/certs                                \
   kes:2024-01-11T13-09-29Z tool identity of /certs/minio-kes.cert

Replace the vault.endpoint with the hostname of the Vault server(s).
Replace the VAULTAPPID and VAULTAPPSECRET with the appropriate Vault AppRole credentials.

Create the MinIO Environment File

Create the environment file using your preferred text editor. The following example uses nano:
```
nano ~/minio-kes-gcp/config/minio
```
This command assumes the minio-kes.cert, minio-kes.key, and kes-server.cert certificates are accessible at the specified location:
```
MINIO_ROOT_USER=myminioadmin
MINIO_ROOT_PASSWORD=minio-secret-key-change-me
MINIO_VOLUMES="/mnt/data"

# KES Configurations

MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_CERT_FILE=/certs/minio-kes.cert
MINIO_KMS_KES_KEY_FILE=/certs/minio-kes.key
MINIO_KMS_KES_CAPATH=/certs/server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
MINIO_KMS_KES_ENCLAVE=<name>
```
MinIO uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:
- Encrypting the MinIO backend (IAM, configuration, etc.)
- Encrypting objects using SSE-KMS if the request does not include a specific EK.
- Encrypting objects using SSE-S3.
MinIO uses the MINIO_KMS_KES_ENCLAVE key to define the name of the KES enclave to use.
- Replace <name> with the name of the enclave to use.
- If not defined, MinIO does not send any enclave information. This may result in using the default enclave for stateful KES servers.
  
  A KES enclave isolates its associated keys from other enclaves on a stateful KES server.
The minio-kes certificates enable for mTLS between the MinIO deployment and the KES server only. They do not otherwise enable TLS for other client connections to MinIO.

KES automatically creates this key if it does not already exist on the root KMS.

3) Create Pod and Containers

The commands in this section create the following resources:

A Podman Pod to facilitate container communications
A Container for the KES Server configured to use Google Cloud Platform Secret Manager as the Root KMS.
A Container for a MinIO Server running in Single-Node Single-Drive Mode.

sudo podman pod create  \
  -p 9000:9000 -p 9001:9001 -p 7373:7373  \
  -v ~/minio-kes-gcp/certs:/certs  \
  -v ~/minio-kes-gcp/minio:/mnt/minio  \
  -v ~/minio-kes-gcp/config:/etc/default/  \
  -n minio-kes-gcp

sudo podman run -dt  \
  --cap-add IPC_LOCK  \
  --name kes-server  \
  --pod "minio-kes-gcp"  \
  -e KES_SERVER=https://127.0.0.1:7373  \
  -e KES_CLIENT_KEY=/certs/kes-server.key  \
  -e KES_CLIENT_CERT=/certs/kes-server.cert  \
  quay.io/minio/kes:2024-01-11T13-09-29Z server  \
    --auth  \
    --config=/etc/default/kes-config.yaml  \

sudo podman run -dt  \
  --name minio-server  \
  --pod "minio-kes-gcp"  \
  -e "MINIO_CONFIG_ENV_FILE=/etc/default/minio"  \
  quay.io/minio/minio:RELEASE.2024-02-17T01-15-57Z server  \
    --console-address ":9001"

You can verify the status of the containers using the following commands:

# Should show three pods - one for the Pod, one for KES, and one for MinIO
sudo podman container ls

If all pods are operational, you can connect to the MinIO deployment by opening your browser to http://127.0.0.1:9000 and logging in with the root credentials specified in the MinIO environment file.

4) Generate a New Encryption Key

Unseal Vault Before Creating Key

You must unseal the backing Vault instance before creating new encryption keys. See the Vault documentation on Seal/Unseal for more information.

MinIO requires that the EK exist on the root KMS before performing SSE operations using that key. Use kes key create or mc admin kms key create to create a new EK for use with SSE.

The following command uses the kes key create command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

sudo podman run --rm  \
  -v ~/minio-kes-gcp/certs:/certs  \
  -e KES_SERVER=https://127.0.0.1:7373  \
  -e KES_CLIENT_KEY=/certs/minio-kes.key  \
  -e KES_CLIENT_CERT=/certs/minio-kes.cert  \
  kes:2024-01-11T13-09-29Z key create -k my-new-encryption-key

You can specify any key name as appropriate for your use case, such as a bucket-specific key minio-mydata-key.

5) Enable SSE-KMS for a Bucket

You can use either the MinIO Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

MinIO Console

Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.

Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.

Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.

MinIO CLI

The following commands:

Create a new alias for the MinIO deployment
Create a new bucket for storing encrypted data
Enable SSE-KMS encryption on that bucket

mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD

mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.

Configuration Reference for GCP Secret Manager Root KMS

The following section describes each of the Key Encryption Service (KES) configuration settings for using GCP Secrets Manager as the root Key Management Service (KMS) for SSE:

Important

Starting with https://github.com/minio/minio/releases/tag/RELEASE.2023-02-17T17-52-43Z, MinIO requires expanded KES permissions for functionality. The example configuration in this section contains all required permissions.

YAML Overview

Fields with ${<STRING>} use the environment variable matching the <STRING> value. You can use this functionality to set credentials without writing them to the configuration file.

The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES. As an alternative, you can omit the policy.minio-server section and instead set the ${MINIO_IDENTITY} hash as the ${ROOT_IDENTITY}.

address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}

tls:
  key: kes-server.key
  cert: kes-server.cert

policy:
  minio-server:
    allow:
    - /v1/key/create/*
    - /v1/key/generate/*
    - /v1/key/decrypt/*
    - /v1/key/bulk/decrypt
    - /v1/key/list/*
    - /v1/status
    - /v1/metrics
    - /v1/log/audit
    - /v1/log/error
    identities:
    - ${MINIO_IDENTITY}

keys:
  - name: "minio-encryption-key-alpha"
  - name: "minio-encryption-key-baker"
  - name: "minio-encryption-key-charlie"

keystore:
  gcp:
    secretmanager:
      project_id: "${GCPPROJECTID}"
      credentials:
        client_email: "${GCPCLIENTEMAIL}"
        client_id: "${GCPCLIENTID}"
        private_key_id: "${GCPPRIVATEKEYID}"
        private_key: "${GCPPRIVATEKEY}"

Reference

Key	Description
`address`	The network address and port the KES server listens to on startup. Defaults to port `7373` on all host network interfaces.
`root`	The identity for the KES superuser (`root`) identity. Clients connecting with a TLS certificate whose hash (`kes identity of client.cert`) matches this value have access to all KES API operations. Specify `disabled` to remove the root identity and rely only on the `policy` configuration for controlling identity and access management to KES.
`tls`	The TLS private key and certificate used by KES for establishing TLS-secured communications. Specify the full path for both the private `.key` and public `.cert` to the `key` and `cert` fields, respectively.
`policy`	Specify one or more policies to control access to the KES server. MinIO SSE requires access to the following KES cryptographic APIs: `/v1/key/create/` `/v1/key/generate/` `/v1/key/decrypt/` Specifying additional keys does not expand MinIO SSE functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations. You can restrict the range of key names MinIO can create as part of performing SSE by specifying a prefix before the ``. For example, `minio-sse-*` only grants access to create, generate, or decrypt keys using the `minio-sse-` prefix. KES uses mTLS to authorize connecting clients by comparing the hash of the TLS certificate against the `identities` of each configured policy. Use the `kes identity of` command to compute the identity of the MinIO mTLS certificate and add it to the `policy.<NAME>.identities` array to associate MinIO to the `<NAME>` policy.
`keys`	Specify an array of keys which must exist on the root KMS for KES to successfully start. KES attempts to create the keys if they do not exist and exits with an error if it fails to create any key. KES does not accept any client requests until it completes validation of all specified keys.
`keystore.gcp.secretmanager`	The configuration for the GCP Secret Manager `project_id` - The GCP Project of the Secret Manager instance. `credentials` - Replace the `credentials` with the credentials for a project user with the required permissions.