Documentation

Documentation

Server-Side Object Encryption with AWS Secrets Manager Root KMS

MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.

MinIO SSE uses Key Encryption Service (KES) and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale. The root KMS provides stateful and secured storage of External Keys (EK) while KES is stateless and derives additional cryptographic keys from the root-managed EK.

This procedure assumes a single local host machine running the MinIO and KES processes, with AWS Secrets Manager as the external root KMS.. As part of this procedure, you will:

  1. Deploy a KES server configured to use AWS Secrets Manager as the root KMS.

  2. Create a new EK on Vault for use with SSE.

  3. Deploy a MinIO server in Single-Node Single-Drive mode configured to use the KES container for supporting SSE.

  4. Configure automatic bucket-default SSE-KMS.

For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE enabled and configured for use with AWS Secrets Manager.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and AWS Secrets Manager.

Important

Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the root KMS to decrypt the backend and start normally. You cannot disable KES later or “undo” the SSE configuration at a later point.

Prerequisites

Ensure Access to the AWS Secrets Manager and Key Management Service

This procedure assumes access to and familiarity with AWS Secrets Manager and |rootkms-short|.

MinIO specifically requires the following AWS settings or configurations:

  • A new AWS Programmatic Access user with corresponding access key and secret key.

  • A policy that grants the created user access to AWS Secrets Manager and AWS Secrets Manager. The following policy grants the minimum necessary permissions:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "minioSecretsManagerAccess",
          "Action": [
            "secretsmanager:CreateSecret",
            "secretsmanager:DeleteSecret",
            "secretsmanager:GetSecretValue",
            "secretsmanager:ListSecrets"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "minioKmsAccess",
          "Action": [
            "kms:Decrypt",
            "kms:DescribeKey",
            "kms:Encrypt"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
    }
    

    AWS provides the SecretsManagerReadWrite and AWSKeyManagementServicePowerUser canned roles that meet and exceed the minimum required permissions.

Deploy or Ensure Access to a MinIO Deployment

This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable SSE via KES and the root KMS.

For instructions on new production deployments, see the Multi-Node Multi-Drive (Distributed) tutorial. For instructions on new local or evaluation deployments, see the Single-Node Single-Drive tutorial.

When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support SSE.

For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.

Deploy MinIO and KES with Server-Side Encryption using AWS Secrets Manager

Prior to starting these steps, create the following folders:

mkdir -P ~/minio-kes-aws/certs
mkdir -P ~/minio-kes-aws/config
mkdir -P ~/minio-kes-aws/minio

1) Download the KES Binary

Download the binary of the latest stable KES release (v0.22.2) from github.com/minio/kes.

Select the tab corresponding to the architecture for your MacOS hardware. The command downloads the v0.22.2 binary for that architecture, sets it to executable, and adds it to your system PATH.

curl -O https://github.com/minio/kes/releases/download/v0.22.2/kes-darwin-arm64
chmod +x ./kes-darwin-arm64
sudo mv ./kes-darwin-arm64 /usr/local/bin/kes
curl -O https://github.com/minio/kes/releases/download/v0.22.2/kes-darwin-amd64
chmod +x ./kes-darwin-amd64
sudo mv ./kes-darwin-amd64 /usr/local/bin/kes

2) Generate TLS Certificates for KES and MinIO

The following commands create two TLS certificates that expire within 30 days of creation:

  • A TLS certificate for KES to secure communications between it and the Vault deployment

  • A TLS certificate for MinIO to perform mTLS authentication to KES.

Use Caution in Production Environments

DO NOT use the TLS certificates generated as part of this procedure for any long-term development or production environments.

Defer to organization/industry best practices around TLS certificate generation and management. A complete guide to creating valid certificates (e.g. well-formed, current, and trusted) is beyond the scope of this procedure.

# These commands output keys to ~/minio-kes-aws/certs
# and ~/minio-kes-aws/certs respectively

kes identity new kes_server \
  --key  ~/minio-kes-aws/certs/kes-server.key  \
  --cert ~/minio-kes-aws/certs/kes-server.cert  \
  --ip   "127.0.0.1"  \
  --dns  localhost

kes identity new minio_server \
  --key  ~/minio-kes-aws/certs/minio-kes.key  \
  --cert ~/minio-kes-aws/certs/minio-kes.cert  \
  --ip   "127.0.0.1"  \
  --dns  localhost

The --ip and --dns parameters set the IP and DNS SubjectAlternativeName for the certificate. The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via localhost or 127.0.0.1. You can specify additional IP or Hostnames based on the network configuration of your local host.

3) Create the KES and MinIO Configurations

  1. Create the KES Configuration File

    Create the configuration file using your preferred text editor. The following example uses nano:

    nano ~/minio-kes-aws/config/kes-config.yaml
    

    KES uses a YAML-formatted configuration file. The following example YAML specifies the minimum required fields for enabling SSE using AWS Secrets Manager:

    address: 0.0.0.0:7373
    
    # Disable the root identity, as we do not need that level of access for
    # supporting SSE operations.
    root: disabled
    
    # Specify the TLS keys generated in the previous step here
    # For production environments, use keys signed by a known and trusted
    # Certificate Authority (CA).
    tls:
      key:  ~/minio-kes-aws/certs/kes-server.key
      cert: ~/minio-kes-aws/certs/kes-server.cert
    
    # Create a policy named 'minio' that grants access to the
    # /create, /generate, and /decrypt KES APIs for any key name
    # KES uses mTLS to grant access to this policy, where only the client
    # whose TLS certificate hash matches one of the "identities" can
    # use this policy. Specify the hash of the MinIO server TLS certificate
    # hash here.
    policy:
      minio:
        allow:
        - /v1/key/create/*
        - /v1/key/generate/*
        - /v1/key/decrypt/*
        identities:
        - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'
    
                                 # In production environments, each client connecting to KES must
                                 # Have their TLS hash listed under at least one `policy`.
    
    # Specify the connection information for the KMS and Secrets Manager endpoint.
    # The endpoint should be resolvable from the host.
    # This example assumes that the associated AWS account has the necessary
    # access key and secret key
    keystore:
      aws:
        secretsmanager:
          endpoint: secretsmanager.REGION.amazonaws.com # use the Secrets Manager endpoint for your region
          region: REGION # e.g. us-east-1
          kmskey: "" # Optional. The root AWS KMS key to use for cryptographic operations. Formerly described as the "Customer Master Key".
          credentials:
            accesskey: "AWSACCESSKEY" # AWS Access Key
            secretkey: "AWSSECRETKEY" # AWS Secret Key
    
    • Set MINIO_IDENTITY_HASH to the identity hash of the MinIO mTLS certificate.

      The following command computes the necessary hash:

      kes identity of ~/minio-kes-aws/certs/minio-kes.cert
      
    • Replace the REGION with the appropriate region for AWS Secrets Manager. The value must match for both endpoint and region.

    • Set AWSACCESSKEY and AWSSECRETKEY to the appropriate AWS Credentials.

  2. Create the MinIO Environment File

    Create the environment file using your preferred text editor. The following example uses nano:

    nano ~/minio-kes-aws/config/minio
    

    Add the following lines to the MinIO Environment file on each MinIO host. See the tutorials for Deploy MinIO: Single-Node Single-Drive, Deploy MinIO: Single-Node Multi-Drive, or Deploy MinIO: Multi-Node Multi-Drive for more detailed descriptions of a base MinIO environment file.

    # Add these environment variables to the existing environment file
    
    MINIO_KMS_KES_ENDPOINT=https://HOSTNAME:7373
    MINIO_KMS_KES_CERT_FILE=~/minio-kes-aws/certs/minio-kes.cert
    MINIO_KMS_KES_KEY_FILE=~/minio-kes-aws/certs/minio-kes.key
    
    # Allows validation of the KES Server Certificate (Self-Signed or Third-Party CA)
    # Change this path to the location of the KES CA Path
    MINIO_KMS_KES_CAPATH=~/minio-kes-aws/certs/kes-server.cert
    
    # Sets the default KMS key for the backend and SSE-KMS/SSE-S3 Operations)
    MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
    

    Replace HOSTNAME with the IP address or hostname of the KES server. If the MinIO server host machines cannot resolve or reach the specified HOSTNAME, the deployment may return errors or fail to start.

    • If using a single KES server host, specify the IP or hostname of that host

    • If using multiple KES server hosts, specify a comma-separated list of IPs or hostnames of each host

    MinIO uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:

    • Encrypting the MinIO backend (IAM, configuration, etc.)

    • Encrypting objects using SSE-KMS if the request does not include a specific EK.

    • Encrypting objects using SSE-S3.

    The minio-kes certificates enable mTLS between the MinIO deployment and the KES server only. They do not otherwise enable TLS for other client connections to MinIO.

4) Start KES and MinIO

You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.

  1. Start the KES Server

    Run the following commands in a terminal or shell to start the KES server as a foreground process:

    sudo setcap cap_ipc_lock=+ep $(readlink -f $(which kes))
    
    kes server --auth=off --config=~/minio-kes-aws/config/kes-config.yaml
    

    The first command allows KES to use the mlock system call without running as root. mlock ensures the OS does not write in-memory data to a drive (swap memory) and mitigates the risk of cryptographic operations being written to unsecured drive at any time. KES 0.21.0 and later automatically detect and enable mlock if supported by the host OS. Versions 0.20.0 and earlier required specifying the --mlock argument to KES.

    The second command starts the KES server in the foreground using the configuration file created in the last step. The --auth=off disables strict validation of client TLS certificates. Using self-signed certificates for either the MinIO client or the root KMS server requires specifying this option.

    KES listens on port 7373 by default. You can monitor the server logs from the terminal session. If you run KES without tying it to the current shell session (e.g. with nohup), use that method’s associated logging system (e.g. nohup.txt).

  2. Start the MinIO Server

    Run the following command in a terminal or shell to start the MinIO server as a foreground process.

    export MINIO_CONFIG_ENV_FILE=~/minio-kes-aws/config/minio
    minio server --console-address :9090
    

Foreground processes depend on the shell or terminal in which they run. Exiting or terminating the shell/terminal instance also kills the attached process. Defer to your operating system best practices for running processes in the background.

5) Generate a New Encryption Key

MinIO requires that the EK exist on the root KMS before performing SSE operations using that key. Use kes key create or mc admin kms key create to add a new EK for use with SSE.

The following command uses the kes key create command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=~/minio-kes-aws/certs/minio-kes.key
export KES_CLIENT_CERT=~/minio-kes-aws/certs/minio-kes.cert

kes key create -k encrypted-bucket-key

6) Enable SSE-KMS for a Bucket

You can use either the MinIO Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

Open the MinIO Console by navigating to http://127.0.0.1:9090 in your preferred browser and logging in with the root credentials specified to the MinIO container. If you deployed MinIO using a different Console listen port, substitute 9090 with that port value.

Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.

Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.

The following commands:

  • Create a new alias for the MinIO deployment

  • Create a new bucket for storing encrypted data

  • Enable SSE-KMS encryption on that bucket

mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD

mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.

Configuration Reference for AWS Root KMS

The following section describes each of the Key Encryption Service (KES) configuration settings for using AWS Secrets Manager and AWS KMS as the root Key Management Service (KMS) for SSE:

The following YAML describes the minimum required fields for configuring AWS Secrets Manager as an external KMS for supporting SSE.

Any field with value ${VARIABLE} uses the environment variable with matching name as the value. You can use this functionality to set credentials without writing them to the configuration file.

address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}

tls:
  key: kes-server.key
  cert: kes-server.cert

policy:
  minio-server:
    allow:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*
    identities:
    - ${MINIO_IDENTITY}

keys:
  - name: "minio-encryption-key-alpha"
  - name: "minio-encryption-key-baker"
  - name: "minio-encryption-key-charlie"

keystore:
  secretsmanager:
    endpoint: secretsmanager.REGION.amazonaws
    region: REGION
    kmskey: ""
    credentials:
      accesskey: "${AWS_ACCESS_KEY}"
      secretkey: "${AWS_SECRET_KEY}"

Key

Description

address

The network address and port the KES server listens to on startup. Defaults to port 7373 on all host network interfaces.

root

The identity for the KES superuser (root) identity. Clients connecting with a TLS certificate whose hash (kes identity of client.cert) matches this value have access to all KES API operations.

Specify disabled to remove the root identity and rely only on the policy configuration for controlling identity and access management to KES.

tls

The TLS private key and certificate used by KES for establishing TLS-secured communications. Specify the full path for both the private .key and public .cert to the key and cert fields, respectively.

policy

Specify one or more policies to control access to the KES server.

MinIO SSE requires access to the following KES cryptographic APIs:

  • /v1/key/create/*

  • /v1/key/generate/*

  • /v1/key/decrypt/*

Specifying additional keys does not expand MinIO SSE functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations.

You can restrict the range of key names MinIO can create as part of performing SSE by specifying a prefix before the *. For example, minio-sse-* only grants access to create, generate, or decrypt keys using the minio-sse- prefix.

KES uses mTLS to authorize connecting clients by comparing the hash of the TLS certificate against the identities of each configured policy. Use the kes identity of command to compute the identity of the MinIO mTLS certificate and add it to the policy.<NAME>.identities array to associate MinIO to the <NAME> policy.

keys

Specify an array of keys which must exist on the root KMS for KES to successfully start. KES attempts to create the keys if they do not exist and exits with an error if it fails to create any key. KES does not accept any client requests until it completes validation of all specified keys.

keystore.aws.secretsmanager

The configuration for the AWS Secrets Manager and AWS KMS.

  • endpoint - The endpoint for the Secrets Manager service, including the region.

  • approle - The AWS region to use for other AWS services.

  • kmskey - The root KMS Key to use for cryptographic operations. Formerly known as the Customer Master Key.

  • credentials - The AWS Credentials to use for performing authenticated operations against Secrets Manager and KMS.

    The specified credentials must have the appropriate permissions