The following command sets the default
SSE-KMS encryption key for the bucket
mydata on the
myminio MinIO deployment:
mc encrypt set sse-kms "minio-encryption-key" myminio/mydata
The command has the following syntax:
mc [GLOBALFLAGS] encrypt set ENCRYPTION [KMSKEY] ALIAS
indicate optional parameters.
Parameters sharing a line are mutually dependent.
Parameters separated using the pipe
|operator are mutually exclusive.
Copy the example to a text editor and modify as-needed before running the command in the terminal/shell.
Specify the server-side encryption type to use as the default SSE mode. Supports the following values:
sse-kms- Encrypt objects using the key specified in
KMSKEY. MinIO must have access to the specified key on the external KMS to successfully encrypt or decrypt objects protected using SSE-KMS.
sse-s3- Encrypt objects using the key specified to
MINIO_KMS_KES_KEY_NAME. MinIO must have access to the specified key on the external KMS to successfully encrypt or decrypt objects protected using SSE-S3.
Specify the KMS Master Key to use for performing SSE object encryption. This option only applies if
Omit this option to direct MinIO to use the
The full path to the bucket on which to set the default SSE mode. Specify the alias of the MinIO deployment as the prefix to the TARGET path. For example:
mc encrypt set ENCRYPTION [KMSKEY] play/mybucket
This command supports any of the global flags.
The following commands assumes that:
The MinIO server configuration supports SSE-KMS
The root has an encryption key
mc encrypt set sse-kms minio-encryption-key myminio/data
mc encrypt set ENCRYPTION KMSKEY TARGET
sse-s3depending on the preferred encryption mode.
KMSKEYwith the name of the encryption key on the configured root KMS. This argument has no effect with
TARGETwith the alias of the MinIO deployment on which to configure automatic server-side bucket encryption.
mc encrypt set makes no assumptions about the MinIO server’s current
encryption state. Specifying default encryption settings which the
server cannot support may result in undesired behavior.
Setting or modifying the default server-side encryption settings does not
automatically encrypt or decrypt the existing bucket contents. If the bucket
contents must have consistent encryption, use the
mc mv mc with the
--encrypt-key arguments to manually modify the
encryption settings or encrypted state of the bucket contents before
changing the bucket default.