MinIO Server Documentation
Customer Login
Product
MinIO Enterprise Object Store
Overview Architecture
Features
MinIO for Public Cloud
AWS GCS Azure
MinIO for Private Cloud
OpenShift SUSE Rancher Tanzu
MinIO for Baremetal
Linux and Windows
Determine your raw and usable capacity Erasure Code Calculator MinIO's Recommended Hardware Configuration Reference Hardware
Solutions
AI Storage Object storage is powering the AI revolution. Learn how MinIO is leading the AI storage market through performance at scale. Modern Datalakes Modern, multi-engine datalakes depend on object stores that deliver performance at scale. Learn more about this core MinIO use case. Hybrid Cloud Effective multi-cloud storage strategies rely on utilizing architecture and tools that can function seamlessly across diverse environments. Equinix Repatriate your data onto the cloud you control with MinIO on Equinix to lower costs while maintaining public cloud adjacency. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. Snowflake Query and analyze multiple data sources, including streaming data, residing on MinIO with the Snowflake Data Cloud. No need to move the data, just query using SnowSQL. SQL Server Discover how to pair SQL Server 2022 with MinIO to run queries on your data on any cloud - without having to move it. HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions. Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Integrations Browse our vast portfolio of integrations.
Community
GitHub Join our GitHub open source community: explore, experiment, ask questions, and contribute. Slack Channel The MinIO Community Slack provides an open forum for discussing topics related to MinIO. All support is provided on a best-effort basis.
Docs Blog Resources Training Partner Pricing Download

Documentation

MinIO Object Storage for Container

Server-Side Object Encryption with KES

This procedure assumes that you use a single host machine to run both the MinIO and KES containers. For instructions on running KES, see the KES docs.

As part of this procedure, you will:

  1. Create a new EK for use with SSE.

  2. Deploy a MinIO Server container in Single-Node Single-Drive mode configured to use the KES container for supporting SSE.

  3. Configure automatic bucket-default SSE-KMS.

For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE enabled and configured for use with your KMS.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and your KMS.

Important

Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the external KMS to decrypt the backend and start normally. The KMS must maintain and provide access to the MINIO_KMS_KES_KEY_NAME. You cannot disable KES later or “undo” the SSE configuration at a later point.

Prerequisites

Ensure KES Access to a Supported KMS Target

This procedure assumes an existing KES installation connected to a supported KMS installation accessible, both accessible from the local host. Refer to the installation instructions for your supported KMS target to deploy KES and connect it to a KMS solution.

KES Operations Require Unsealed Target

Some supported KMS targets allow you to seal or unseal the vault instance. KES returns an error if the configured KMS service is sealed.

If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. You must unseal the Vault to ensure normal operations.

See the documentation for your chosen KMS solution for more information on whether unsealing may be required.

Refer to the configuration instruction in the KES documentation for your chosen supported KMS:

Install Podman or a Similar Container Management Interface

This procedure assumes you have a working Podman installation configured to run in “Rootfull” mode.

“Rootless” modes may not provide sufficient permissions to run KES with the necessary security settings. See the relevant “rootless” documentation for more information.

Deploy MinIO and KES with Server-Side Encryption

Prior to starting these steps, create the following folders:

mkdir -P ~/minio-kes-vault/certs
mkdir -P ~/minio-kes-vault/config
mkdir -P ~/minio-kes-vault/minio

For Windows hosts, substitute the paths with Windows-style paths, e.g. C:\minio-kes-vault\.

Prerequisite

Depending on your chosen supported KMS target configuration, you may need to pass the kes-server.cert as a trusted Certificate Authority (CA). Defer to the client documentation for instructions on trusting a third-party CA.

1) Create the KES and MinIO Configurations

  1. Create the KES Configuration File

    Create the configuration file using your preferred text editor. The following example uses nano:

    nano ~/minio-kes-vault/config/kes-config.yaml

    KES uses a YAML-formatted configuration file. The following YAML provides the minimum required fields for using Hashicorp Vault as the root KMS. You must modify this YAML to reflect your deployment environment.

    address: 0.0.0.0:7373

# Disable the root administrator identity, as we do not need that level of access for
# supporting SSE operations.
admin:
  identity: disabled

# Specify the TLS keys generated in the previous step here
# For production environments, use keys signed by a known and trusted Certificate Authority (CA).
tls:
  key:  /certs/kes-server.key
  cert: /certs/kes-server.cert

  # Specify the path to CAs used by KES for validating client certificates
  # This can alternatively be a single CA
  # KES uses these CAs in addition to the system trust store for validating client certificates.

  ca: /certs/CAs/

# Sets access policies for KES
# The `minio` policy grants access to the listed APIs.
policy:
  minio:
    allow:
    - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
    - /v1/key/generate/* # e.g. '/minio-'
    - /v1/key/decrypt/*
    - /v1/key/bulk/decrypt
    - /v1/key/list/*
    - /v1/status
    - /v1/metrics
    - /v1/log/audit
    - /v1/log/error
    identities:
    - MINIO_API_KEY_HASH # Replace with the hash output returned from kes identity new

# Specify the connection information for the Vault server.
# The endpoint should be resolvable from the host.
# This example assumes that Vault is configured with an AppRole ID and
# Secret for use with KES.
keystore:
  vault:
    endpoint: https://HOSTNAME:8200
    engine: "/path/to/engine" # Replace with the path to the K/V Engine
    version: "v1|v2" # Specify v1 or v2 depending on the version of the K/V Engine
    approle:
      id: "VAULTAPPID"     # Hashicorp Vault AppRole ID
      secret: "VAULTAPPSECRET" # Hashicorp Vault AppRole Secret ID
      retry: 15s
    status:
      ping: 10s
    # Required if Vault uses certificates signed by an unknown CA,
    # e.g. self-signed or internal (non-globally trusted).
    # Replace this value with the full path to the Vault CA certificate.
    tls:
      ca: vault-tls-CA.cert

    • Set MINIO_IDENTITY_HASH to the identity hash of the MinIO mTLS certificate.

      The following command computes the necessary hash:

      podman run --rm                                             \
   -v ~/minio-kes-vault/certs/certs:/certs                                \
   kes:2024-04-12T13-50-00Z tool identity of /certs/minio-kes.cert

    • Refer to the instructions for setting up KES for your supported KMS solution for additional variables to define specific to your chosen KMS target.

  2. Create the MinIO Environment File

    Create the environment file using your preferred text editor. The following example uses nano:

    nano ~/minio-kes-vault/config/minio

    This command assumes the minio-kes.cert, minio-kes.key, and kes-server.cert certificates are accessible at the specified location:

    MINIO_ROOT_USER=myminioadmin
MINIO_ROOT_PASSWORD=minio-secret-key-change-me
MINIO_VOLUMES="/mnt/data"

# KES Configurations

MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_CERT_FILE=/certs/minio-kes.cert
MINIO_KMS_KES_KEY_FILE=/certs/minio-kes.key
MINIO_KMS_KES_CAPATH=/certs/server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
MINIO_KMS_KES_ENCLAVE=<name>

    MinIO uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:

    • Encrypting the MinIO backend (IAM, configuration, etc.)

    • Encrypting objects using SSE-KMS if the request does not include a specific EK.

    • Encrypting objects using SSE-S3.

    MinIO uses the MINIO_KMS_KES_ENCLAVE key to define the name of the KES enclave to use.

    • Replace <name> with the name of the enclave to use.

    • If not defined, MinIO does not send any enclave information. This may result in using the default enclave for stateful KES servers.

      A KES enclave isolates its associated keys from other enclaves on a stateful KES server.

    The minio-kes certificates enable for mTLS between the MinIO deployment and the KES server only. They do not otherwise enable TLS for other client connections to MinIO.

    KES automatically creates this key if it does not already exist on the root KMS.

2) Create Pod and Containers

The commands in this section create the following resources:

  • A Podman Pod to facilitate container communications

  • A Container for the KES Server configured to use the chosen supported KMS solution.

  • A Container for a MinIO Server running in Single-Node Single-Drive Mode.

sudo podman pod create  \
  -p 9000:9000 -p 9001:9001 -p 7373:7373  \
  -v ~/minio-kes-vault/certs:/certs  \
  -v ~/minio-kes-vault/minio:/mnt/minio  \
  -v ~/minio-kes-vault/config:/etc/default/  \
  -n minio-kes-vault

sudo podman run -dt  \
  --cap-add IPC_LOCK  \
  --name kes-server  \
  --pod "minio-kes-vault"  \
  -e KES_SERVER=https://127.0.0.1:7373  \
  -e KES_CLIENT_KEY=/certs/kes-server.key  \
  -e KES_CLIENT_CERT=/certs/kes-server.cert  \
  quay.io/minio/kes:2024-04-12T13-50-00Z server  \
    --auth  \
    --config=/etc/default/kes-config.yaml  \

sudo podman run -dt  \
  --name minio-server  \
  --pod "minio-kes-vault"  \
  -e "MINIO_CONFIG_ENV_FILE=/etc/default/minio"  \
  quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z server  \
    --console-address ":9001"

You can verify the status of the containers using the following commands:

# Should show three pods - one for the Pod, one for KES, and one for MinIO
sudo podman container ls

If all pods are operational, you can connect to the MinIO deployment by opening your browser to http://127.0.0.1:9000 and logging in with the root credentials specified in the MinIO environment file.

3) Generate a New Encryption Key

Unseal Vault Before Creating Key

If required for your chosen provider, you must unseal the backing KMS instance before creating new encryption keys. Refer to the documentation for your chosen KMS solution for more information.

MinIO requires that the EK exist on the root KMS before performing SSE operations using that key. Use kes key create or mc admin kms key create to create a new EK for use with SSE.

The following command uses the kes key create command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

sudo podman run --rm  \
  -v ~/minio-kes-vault/certs:/certs  \
  -e KES_SERVER=https://127.0.0.1:7373  \
  -e KES_CLIENT_KEY=/certs/minio-kes.key  \
  -e KES_CLIENT_CERT=/certs/minio-kes.cert  \
  kes:2024-04-12T13-50-00Z key create -k my-new-encryption-key

You can specify any key name as appropriate for your use case, such as a bucket-specific key minio-mydata-key.

4) Enable SSE-KMS for a Bucket

You can use either the MinIO Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container.

Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.

Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.

The following commands:

  • Create a new alias for the MinIO deployment

  • Create a new bucket for storing encrypted data

  • Enable SSE-KMS encryption on that bucket

mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD

mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License