MinIO Server Documentation
Customer Login
Product
MinIO Enterprise Object Store
Overview Architecture
Features
MinIO for Public Cloud
AWS GCS Azure
MinIO for Private Cloud
OpenShift SUSE Rancher Tanzu
MinIO for Baremetal
Linux and Windows
Determine your raw and usable capacity Erasure Code Calculator MinIO's Recommended Hardware Configuration Reference Hardware
Solutions
AI Storage Object storage is powering the AI revolution. Learn how MinIO is leading the AI storage market through performance at scale. Modern Datalakes Modern, multi-engine datalakes depend on object stores that deliver performance at scale. Learn more about this core MinIO use case. Hybrid Cloud Effective multi-cloud storage strategies rely on utilizing architecture and tools that can function seamlessly across diverse environments. Equinix Repatriate your data onto the cloud you control with MinIO on Equinix to lower costs while maintaining public cloud adjacency. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. Snowflake Query and analyze multiple data sources, including streaming data, residing on MinIO with the Snowflake Data Cloud. No need to move the data, just query using SnowSQL. SQL Server Discover how to pair SQL Server 2022 with MinIO to run queries on your data on any cloud - without having to move it. HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions. Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Integrations Browse our vast portfolio of integrations.
Community
GitHub Join our GitHub open source community: explore, experiment, ask questions, and contribute. Slack Channel The MinIO Community Slack provides an open forum for discussing topics related to MinIO. All support is provided on a best-effort basis.
Docs Blog Resources Training Partner Pricing Download

Documentation

MinIO Object Storage for Linux

Server-Side Object Encryption with KES

This procedure provides guidance for deploying MinIO configured to use KES and enable Server Side Encryption. For instructions on running KES, see the KES docs.

As part of this procedure, you will:

  1. Create a new EK for use with SSE.

  2. Create or modify a MinIO deployment with support for SSE using KES. Defer to the Deploy Distributed MinIO tutorial for guidance on production-ready MinIO deployments.

  3. Configure automatic bucket-default SSE-KMS

Important

Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the external KMS to decrypt the backend and start normally. The KMS must maintain and provide access to the MINIO_KMS_KES_KEY_NAME. You cannot disable KES later or “undo” the SSE configuration at a later point.

Prerequisites

Ensure KES Access to a Supported KMS Target

This procedure assumes an existing KES installation connected to a supported KMS installation accessible, both accessible from the local host. Refer to the installation instructions for your supported KMS target to deploy KES and connect it to a KMS solution.

KES Operations Require Unsealed Target

Some supported KMS targets allow you to seal or unseal the vault instance. KES returns an error if the configured KMS service is sealed.

If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. You must unseal the Vault to ensure normal operations.

See the documentation for your chosen KMS solution for more information on whether unsealing may be required.

Refer to the configuration instruction in the KES documentation for your chosen supported KMS:

Deploy or Ensure Access to a MinIO Deployment

This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable SSE via KES and the KMS target.

For instructions on new production deployments, see the Multi-Node Multi-Drive (Distributed) tutorial. For instructions on new local or evaluation deployments, see the Single-Node Single-Drive tutorial.

When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support SSE.

For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.

Procedure

This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected supported KMS solution in production environments. Specifically, this procedure assumes the following:

  • An existing production-grade KMS target

  • One or more KES servers connected to the KMS target

  • One or more hosts for a new or existing MinIO deployment

Prerequisite

Depending on your chosen supported KMS target configuration, you may need to pass the kes-server.cert as a trusted Certificate Authority (CA). Defer to the client documentation for instructions on trusting a third-party CA.

1) Generate a KES API Key for use by MinIO

Starting with KES version 2023-02-15T14-54-37Z, you can generate an API key to use for authenticating to the KES server.

Use the kes identity new command to generate a new API key for use by the MinIO Server:

kes identity new

The output includes both the API Key for use with MinIO and the Identity hash for use with the KES Policy configuration.

2) Create the MinIO Configurations

Configure the MinIO Environment File

Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables:

Add the following lines to the MinIO Environment file on each MinIO host. See the tutorials for Deploy MinIO: Single-Node Single-Drive, Deploy MinIO: Single-Node Multi-Drive, or Deploy MinIO: Multi-Node Multi-Drive for more detailed descriptions of a base MinIO environment file.

# Add these environment variables to the existing environment file

MINIO_KMS_KES_ENDPOINT=https://HOSTNAME:7373
MINIO_KMS_KES_API_KEY="kes:v1:ACTpAsNoaGf2Ow9o5gU8OmcaG6Af/VcZ1Mt7ysuKoBjv"

# Allows validation of the KES Server Certificate (Self-Signed or Third-Party CA)
# Change this path to the location of the KES CA Path
MINIO_KMS_KES_CAPATH=/opt/kes/certs/kes-server.cert

# Sets the default KMS key for the backend and SSE-KMS/SSE-S3 Operations)
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key

# Optional, defines the name for the KES server enclave to use.
# MINIO_KMS_KES_ENCLAVE=<name>

Replace HOSTNAME with the IP address or hostname of the KES server. If the MinIO server host machines cannot resolve or reach the specified HOSTNAME, the deployment may return errors or fail to start.

  • If using a single KES server host, specify the IP or hostname of that host

  • If using multiple KES server hosts, specify a comma-separated list of IPs or hostnames of each host

MinIO uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:

  • Encrypting the MinIO backend (IAM, configuration, etc.)

  • Encrypting objects using SSE-KMS if the request does not include a specific EK.

  • Encrypting objects using SSE-S3.

MinIO uses the MINIO_KMS_KES_ENCLAVE key to define the name of the KES enclave to use.

  • Replace <name> with the name of the enclave to use. If not defined, MinIO does not send any enclave information. This may result in using the default enclave for stateful KES servers.

    A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server.

MinIO defaults to expecting this file at /etc/default/minio. If you modified your deployment to use a different location for the environment file, modify the file at that location.

3) Start MinIO

KES Operations Requires Unsealed Vault

Depending on your selected KMS solution, you may need to unseal the key instance to allow normal cryptographic operations, including key creation or retrieval. KES requires an unsealed key target to perform its operations.

Refer to the documentation for your chosen KMS solution for information regarding whether sealing and unsealing the instance is required for operations.

You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.

This step uses systemd for starting and managing the MinIO server processes:

Start the MinIO Server

For new MinIO deployments, run the following command on each MinIO host to start the service:

systemctl start minio

For existing MinIO deployments, run the following command on each MinIO host to restart the service:

systemctl reload minio
systemctl restart minio

4) Generate a New Encryption Key

MinIO requires that the EK exist on the KMS before performing SSE operations using that key. Use kes key create or mc admin kms key create to add a new EK for use with SSE.

The following command uses the mc admin kms key create command to add a new External Key (EK) stored on the KMS server for use with encrypting the MinIO backend.

mc admin kms key create ALIAS KEYNAME

5) Enable SSE-KMS for a Bucket

You can use either the MinIO Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO Server. If you deployed MinIO using a different Console listen port, substitute 9001 with that port value.

Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.

Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that the sidebar metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.

The following commands:

  • Create a new alias for the MinIO deployment

  • Create a new bucket for storing encrypted data

  • Enable SSE-KMS encryption on that bucket

mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD

mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License