Server-Side Object Encryption with GCP Secret Manager Root KMS
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses Key Encryption Service (KES) and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale. The root KMS provides stateful and secured storage of External Keys (EK) while KES is stateless and derives additional cryptographic keys from the root-managed EK.
This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. As part of this procedure, you will:
Use the MinIO Operator Console to create or manage a MinIO Tenant.
Access the Encryption settings for that tenant and configure SSE using GCP Secret Manager.
Create a new EK on GCP Secret Manager for use with SSE.
Configure automatic bucket-default SSE-KMS.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and GCP Secret Manager.
Important
Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.
MinIO requires access to KES and the root KMS to decrypt the backend and start normally. You cannot disable KES later or “undo” the SSE configuration at a later point.
Prerequisites
MinIO Kubernetes Operator and Plugin
The procedures on this page requires a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator and Plugin version 5.0.4.
See Deploy the MinIO Operator for complete documentation on deploying the MinIO Operator.
GCP Secret Manager
This procedure assumes familiarity with GCP Secret Manager. The Secret Manager Quickstart provides a sufficient foundation for the purposes of this procedure.
This procedure assumes your Kubernetes cluster configuration allows for cluster-internal pods and services to resolve and connect to endpoints outside the cluster, such as the public internet.
MinIO specifically requires the following GCP settings or configurations:
Enable Secret Manager in the project.
Create a new GCP Service Account for supporting KES. Ensure the user has a role with at minimum the following permissions:
secretmanager.secrets.create secretmanager.secrets.delete secretmanager.secrets.get
The
Secret manager Admin
role meets the minimum required permissions.GCP should return a set of credentials associated to the new access keys, including private keys. Copy these credentials to a safe and secure location for use with this procedure.
Deploy MinIO Tenant with Server-Side Encryption using GCP Secret Manager
1) Access the Operator Console
Use the kubectl minio proxy
command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
kubectl minio proxy
The command returns output similar to the following:
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

Click the + Create Tenant to start creating a MinIO Tenant.
2) Complete the Encryption Section
Reference the Deploy a MinIO Tenant procedure for complete documentation of other Tenant settings.
To enable SSE with GCP Secret Manager during Tenant deployment, select the Encryption section and toggle the switch to Enabled. You can then select the GCP Radio button to display the GCP Secret Manager configuration settings.

An asterisk *
marks required fields.
The following table provides general guidance for those fields:
Field |
Description |
---|---|
Project ID
Endpoint
|
The Project ID and endpoint for the GCP Secret Manager service to use for SSE. The MinIO Tenant KES pods must have network access to the specified endpoint. |
Client Email
Client ID
Private Key ID
Private Key
|
Specify the credentials for the GCP user with which the Tenant authenticates to the GCP Secret Manager service. Review the GCP Secret Manager Prerequisites for instructions on generating these values. |
Once you have completed the GCP Secret Manager configuration, you can finish any remaining sections of Tenant Deployment.
3) Generate a New Encryption Key
Unseal Vault Before Creating Key
You must unseal the backing Vault instance before creating new encryption keys. See the Vault documentation on Seal/Unseal for more information.
MinIO requires that the EK for a given bucket or object exist on the root KMS before performing SSE operations using that key.
You can use the mc admin kms key create
command against the MinIO Tenant.
You must ensure your local host can access the MinIO Tenant pods and services before using mc
to manage the Tenant.
For hosts internal to the Kubernetes cluster, you can use the service DNS name.
For hosts external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.
Run this command in a separate Terminal or Shell:
# Replace '-n minio' with the namespace of the MinIO deployment
# If you deployed the Tenant without TLS you may need to change the port range
# You can validate the ports in use by running
# kubectl get svc/minio -n minio
kubectl port forward svc/minio 443:443 -n minio
The following commands in a new Terminal or Shell window:
Connect a local
mc
client to the Tenant.Create the encryption key.
See Quickstart for instructions on installing mc
on your local host.
# Replace USERNAME and PASSWORD with a user on the tenant with administrative permissions
# such as the root user
mc alias add k8s https://localhost:443 ROOTUSER ROOTPASSWORD
# Replace my-new-key with the name of the key you want to use for SSE-KMS
mc admin kms key create k8s encrypted-bucket-key
4) Enable SSE-KMS for a Bucket
You can use either the MinIO Tenant Console or the MinIO mc
CLI to enable bucket-default SSE-KMS with the generated key:
Connect to the MinIO Tenant Console service and log in. For clients internal to the Kubernetes cluster, you can specify the service DNS name. For clients external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.
Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.
Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.
Select SSE-KMS, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.
Use the MinIO API Service to create a new alias for the MinIO deployment.
You can then use the mc encrypt set
command to enable SSE-KMS encryption for a bucket:
mc alias set k8s https://minio.minio-tenant-1.svc.cluster-domain.example:443 ROOTUSER ROOTPASSWORD
mc mb k8s/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucket
For clients external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.
Write a file to the bucket using mc cp
or any S3-compatible SDK with a PutObject
function.
You can then run mc stat
on the file to confirm the associated encryption metadata.
Configuration Reference for GCP Secret Manager Root KMS
The following section describes each of the Key Encryption Service (KES) configuration settings for using GCP Secrets Manager as the root Key Management Service (KMS) for SSE:
Important
Starting with https://github.com/minio/minio/releases/tag/RELEASE.2023-02-17T17-52-43Z, MinIO requires expanded KES permissions for functionality. The example configuration in this section contains all required permissions.
Fields with ${<STRING>}
use the environment variable matching the <STRING>
value.
You can use this functionality to set credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the policy.minio-server
section and instead set the ${MINIO_IDENTITY}
hash as the ${ROOT_IDENTITY}
.
address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}
tls:
key: kes-server.key
cert: kes-server.cert
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}
keys:
- name: "minio-encryption-key-alpha"
- name: "minio-encryption-key-baker"
- name: "minio-encryption-key-charlie"
keystore:
gcp:
secretmanager:
project_id: "${GCPPROJECTID}"
credentials:
client_email: "${GCPCLIENTEMAIL}"
client_id: "${GCPCLIENTID}"
private_key_id: "${GCPPRIVATEKEYID}"
private_key: "${GCPPRIVATEKEY}"
Key |
Description |
---|---|
|
The network address and port the KES server listens to on startup.
Defaults to port |
|
The identity for the KES superuser ( Specify |
|
The TLS private key and certificate used by KES for establishing TLS-secured communications.
Specify the full path for both the private |
|
Specify one or more policies to control access to the KES server. MinIO SSE requires access to the following KES cryptographic APIs:
Specifying additional keys does not expand MinIO SSE functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations. You can restrict the range of key names MinIO can create as part of performing
SSE by specifying a prefix before the KES uses mTLS to authorize connecting clients by comparing the
hash of the TLS certificate against the |
|
Specify an array of keys which must exist on the root KMS for KES to successfully start. KES attempts to create the keys if they do not exist and exits with an error if it fails to create any key. KES does not accept any client requests until it completes validation of all specified keys. |
|
The configuration for the GCP Secret Manager
|