Documentation
Customer Login
Product
Multi-Cloud
MinIO for VMware Tanzu MinIO for OpenShift MinIO for SUSE Rancher MinIO for Amazon Elastic Kubernetes Service MinIO for Azure Kubernetes Service MinIO for Google Kubernetes Engine
Features
Active Active Replication Identity & Access Management Encryption Bucket & Object Immutability Bucket & Object Versioning Data Life Cycle Management & Tiering Automated Data Management Interfaces Monitoring Scalability AWS S3 Compatibility
Hybrid Cloud Object Storage Hybrid Cloud Object Storage
Overview Architecture
Baremetal Baremetal
Overview Architecture
Erasure Code Calculator Erasure Code Calculator Reference Hardware Reference Hardware
Solutions
Integrations Browse our vast portfolio of integrations VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKGI and how we support their Kubernetes ambitions. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Azure to AWS S3 Gateway Learn how MinIO allows Azure Blob to speak Amazon’s S3 API HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. Teradata Discover why MinIO is the Native Object Store (NOS) of choice for at-scale Teradata deployments
Docs Blog Resources Partner Pricing Download

Documentation

MinIO Object Storage for Azure Kubernetes Service

Server-Side Object Encryption with Hashicorp Vault Root KMS

MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.

MinIO SSE uses Key Encryption Service (KES) and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale. The root KMS provides stateful and secured storage of External Keys (EK) while KES is stateless and derives additional cryptographic keys from the root-managed EK.

This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. As part of this procedure, you will:

  1. Use the MinIO Operator Console to create or manage a MinIO Tenant.

  2. Access the Encryption settings for that tenant and configure SSE using Vault.

  3. Create a new EK on Vault for use with SSE.

  4. Configure automatic bucket-default SSE-KMS.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.

Important

Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the root KMS to decrypt the backend and start normally. You cannot disable KES later or “undo” the SSE configuration at a later point.

Prerequisites

MinIO Kubernetes Operator and Plugin

Ensure your target Kubernetes cluster has a valid and working installation of the MinIO Kubernetes Operator. The host machine from which you perform the procedure should have a matching installation of the MinIO Kubernetes Plugin

This documentation assumes the latest stable Operator and Plugin version 5.0.4.

See Deploy the MinIO Operator for complete documentation on deploying the MinIO Operator.

Deploy or Ensure Access to a Hashicorp Vault Service

This procedure assumes an existing Hashicorp Vault installation accessible from the Kubernetes cluster.

  • For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.

  • For Vault deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

Defer to the Vault Documentation for guidance on deployment and configuration.

MinIO KES supports either the V1 or V2 Vault K/V engines.

MinIO KES requires using AppRole authentication to the Vault server. You must create an AppRole, assign it a policy that the necessary permissions, and retrieve the AppRole ID and Secret for use in configuring KES.

You can use the following steps to enable AppRole authentication and create the necessary policies to support core KES functionality against Vault:

  1. Enable AppRole Authentication

    vault auth enable approle

  2. Create a Policy for KES

    Create a policy with necessary capabilities for KES to use when accessing Vault. Select the tab corresponding to the KV engine used for storing KES secrets:

    Create an access policy kes-policy.hcl with a configuration similar to the following:

    path "kv/*" {
      capabilities = [ "create", "read", "delete" ]
}

    Write the policy to Vault using vault policy write kes-policy kes-policy.hcl.

    Create an access policy kes-policy.hcl with a configuration similar to the following:

    path "kv/data/*" {
      capabilities = [ "create", "read"]
}

path "kv/metadata/*" {
      capabilities = [ "list", "delete"]
}

    Write the policy to Vault using vault policy write kes-policy kes-policy.hcl

  3. Create an AppRole for KES and assign it the created policy

    vault write    auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m
vault write    auth/approle/role/kes-role policies=kes-policy

  4. Retrieve the AppRole ID and Secret

    vault read     auth/approle/role/kes-role/role-id
vault write -f auth/approle/role/kes-role/secret-id

Deploy MinIO Tenant with Server-Side Encryption using Hashicorp Vault

1) Access the Operator Console

Use the kubectl minio proxy command to temporarily forward traffic between the local host machine and the MinIO Operator Console:

kubectl minio proxy

The command returns output similar to the following:

Starting port forward of the Console UI.

To connect open a browser and go to http://localhost:9090

Current JWT to login: TOKEN

Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

MinIO Operator Console

Click the + Create Tenant to start creating a MinIO Tenant.

2) Complete the Encryption Section

Reference the Deploy a MinIO Tenant procedure for complete documentation of other Tenant settings.

To enable SSE with Hashicorp Vault during Tenant deployment, select the Encryption section and toggle the switch to Enabled. You can then select the Vault Radio button to Vault to display the Vault configuration settings.

MinIO Operator Console - Create a Tenant - Encryption Section

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field

Description

Endpoint

The hostname or IP address for the Vault service (https://vault.example.net:8200) to use for SSE.

The MinIO Tenant KES pods must have network access to the specified endpoint.

For Vault services deployed in the same Kubernetes cluster as the MinIO Tenant, you can specify either the service’s cluster IP or its DNS hostname.

For Vault services external to the Kubernetes cluster, you can specify that external hostname to the MinIO Tenant. This assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
AppRole ID
AppRole Secret

Specify the Vault AppRole ID and AppRole Secret MinIO should use when authenticating to the Vault service. Review the Vault Prerequisites for instructions on generating these values.

MinIO defaults to using the KV Version 1 engine. You can specify v2 to enable the KV Version 2 engine.

Once you have completed the Vault configuration, you can finish any remaining sections of Tenant Deployment.

3) Generate a New Encryption Key

Unseal Vault Before Creating Key

You must unseal the backing Vault instance before creating new encryption keys. See the Vault documentation on Seal/Unseal for more information.

MinIO requires that the EK for a given bucket or object exist on the root KMS before performing SSE operations using that key. You can use the mc admin kms key create command against the MinIO Tenant.

You must ensure your local host can access the MinIO Tenant pods and services before using mc to manage the Tenant. For hosts internal to the Kubernetes cluster, you can use the service DNS name. For hosts external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.

Run this command in a separate Terminal or Shell:

# Replace '-n minio' with the namespace of the MinIO deployment
# If you deployed the Tenant without TLS you may need to change the port range

# You can validate the ports in use by running
#  kubectl get svc/minio -n minio

kubectl port forward svc/minio 443:443 -n minio

The following commands in a new Terminal or Shell window:

  • Connect a local mc client to the Tenant.

  • Create the encryption key.

See Quickstart for instructions on installing mc on your local host.

# Replace USERNAME and PASSWORD with a user on the tenant with administrative permissions
# such as the root user

mc alias add k8s https://localhost:443 ROOTUSER ROOTPASSWORD

# Replace my-new-key with the name of the key you want to use for SSE-KMS
mc admin kms key create k8s encrypted-bucket-key

4) Enable SSE-KMS for a Bucket

You can use either the MinIO Tenant Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

Connect to the MinIO Tenant Console service and log in. For clients internal to the Kubernetes cluster, you can specify the service DNS name. For clients external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.

Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.

Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.

Use the MinIO API Service to create a new alias for the MinIO deployment. You can then use the mc encrypt set command to enable SSE-KMS encryption for a bucket:

mc alias set k8s https://minio.minio-tenant-1.svc.cluster-domain.example:443 ROOTUSER ROOTPASSWORD

mc mb k8s/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucket

For clients external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.

Configuration Reference for Hashicorp Vault

The following section describes each of the Key Encryption Service (KES) configuration settings for using Hashicorp Vault as the root Key Management Service (KMS) for SSE.

Important

Starting with https://github.com/minio/minio/releases/tag/RELEASE.2023-02-17T17-52-43Z, MinIO requires expanded KES permissions for functionality. The example configuration in this section contains all required permissions.

The following YAML describes the minimum required fields for configuring Hashicorp Vault as an external KMS for supporting SSE.

Fields with ${<STRING>} use the environment variable matching the <STRING> value. You can use this functionality to set credentials without writing them to the configuration file.

The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES. As an alternative, you can omit the policy.minio-server section and instead set the ${MINIO_IDENTITY} hash as the ${ROOT_IDENTITY}.

address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}

tls:
  key: kes-server.key
  cert: kes-server.cert

policy:
  minio-server:
    allow:
    - /v1/key/create/*
    - /v1/key/generate/*
    - /v1/key/decrypt/*
    - /v1/key/bulk/decrypt
    - /v1/key/list
    - /v1/status
    - /v1/metrics
    - /v1/log/audit
    - /v1/log/error
    identities:
    - ${MINIO_IDENTITY}

keys:
  - name: "minio-encryption-key-alpha"
  - name: "minio-encryption-key-baker"
  - name: "minio-encryption-key-charlie"

keystore:
  vault:
    endpoint: https://vault.example.net:8200
    engine: "kv"
    version: "v1"
    namespace: "minio"
    prefix: "keys"
    approle:
      id: ${KES_APPROLE_ID}
      secret: ${KES_APPROLE_SECRET}
      retry: 15s
    status:
      ping: 10s
    tls:
      key: "kes-mtls.key"
      cert: "kes-mtls.cert"
      ca: vault-tls.cert

Key

Description

address

The network address and port the KES server listens to on startup. Defaults to port 7373 on all host network interfaces.

root

The identity for the KES superuser (root) identity. Clients connecting with a TLS certificate whose hash (kes identity of client.cert) matches this value have access to all KES API operations.

Specify disabled to remove the root identity and rely only on the policy configuration for controlling identity and access management to KES.

tls

The TLS private key and certificate used by KES for establishing TLS-secured communications. Specify the full path for both the private .key and public .cert to the key and cert fields, respectively.

policy

Specify one or more policies to control access to the KES server.

MinIO SSE requires access to the following KES cryptographic APIs:

  • /v1/key/create/*

  • /v1/key/generate/*

  • /v1/key/decrypt/*

Specifying additional keys does not expand MinIO SSE functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations.

You can restrict the range of key names MinIO can create as part of performing SSE by specifying a prefix before the *. For example, minio-sse-* only grants access to create, generate, or decrypt keys using the minio-sse- prefix.

KES uses mTLS to authorize connecting clients by comparing the hash of the TLS certificate against the identities of each configured policy. Use the kes identity of command to compute the identity of the MinIO mTLS certificate and add it to the policy.<NAME>.identities array to associate MinIO to the <NAME> policy.

keys

Specify an array of keys which must exist on the root KMS for KES to successfully start. KES attempts to create the keys if they do not exist and exits with an error if it fails to create any key. KES does not accept any client requests until it completes validation of all specified keys.

keystore.vault

The configuration for the Hashicorp Vault keystore. The following fields are required:

  • endpoint - The hostname for the vault server(s). The hostname must be resolvable by the KES server host.

  • engine - The path to the K/V engine to use. Defaults to kv

  • version - The version of the K/V engine to use.

    Specify either v1 or v2. Defaults to v1.

  • namespace - The Vault namespace to use for secret storage.

  • prefix - The prefix to use for secret storage.

  • approle - The AppRole used by KES for performing authenticated operations against Vault.

    The specified AppRole must have the appropriate permissions

  • tls.ca - The Certificate Authority used to sign the Vault TLS certificates. Typically required if the Vault server uses self-signed certificates or is signed by an unknown CA (internal or non-global).
This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License