Server-Side Object Encryption with Azure Key Vault Root KMS
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
MinIO SSE uses Key Encryption Service (KES) and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale. The root KMS provides stateful and secured storage of External Keys (EK) while KES is stateless and derives additional cryptographic keys from the root-managed EK.
This procedure assumes a single local host machine running the MinIO and KES processes, with Azure Key Vault as the external root KMS.. As part of this procedure, you will:
Deploy a KES server configured to use Azure Key Vault as the root KMS.
Create a new EK on Vault for use with SSE.
Deploy a MinIO server in Single-Node Single-Drive mode configured to use the KES container for supporting SSE.
Configure automatic bucket-default SSE-KMS.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE enabled and configured for use with Azure Key Vault.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Azure Key Vault.
Important
Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.
MinIO requires access to KES and the root KMS to decrypt the backend and start normally. You cannot disable KES later or “undo” the SSE configuration at a later point.
Prerequisites
Azure Key Vault
This procedure assumes familiarity with Azure Key Vault. The Key Vault Quickstart provides a sufficient foundation for the purposes of this procedure.
MinIO specifically requires the following Azure settings or configurations:
Register an application for KES (e.g.
minio-kes
). Note the Application (client) ID, Directory (tenant) ID, and Client credentials. You may need to create the client credentials secret and copy the Secret Value for use in this procedure.Create an Access Policy for use by KES. The policy must have the following Secret Permissions:
Get
List
Set
Delete
Purge
Set the Principal for the new policy to the KES Application ID.
Deploy or Ensure Access to a MinIO Deployment
This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable SSE via KES and the root KMS.
For instructions on new production deployments, see the Multi-Node Multi-Drive (Distributed) tutorial. For instructions on new local or evaluation deployments, see the Single-Node Single-Drive tutorial.
When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support SSE.
For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.
Deploy MinIO and KES with Server-Side Encryption using Azure Key Vault
Prior to starting these steps, create the following folders:
New-Item -Path "C:\minio-kes-azure\certs" -ItemType "directory"
New-Item -Path "C:\minio-kes-azure\config" -ItemType "directory"
New-Item -Path "C:\minio-kes-azure\minio" -ItemType "directory"
1) Download KES for Windows
Download the latest stable release (2023-11-10T10-44-28Z) of KES from github.com/minio/kes.
The following PowerShell command downloads the latest Windows-compatible binary and moves it to the system PATH
:
Invoke-WebRequest -Uri "https://github.com/minio/kes/releases/download/2023-11-10T10-44-28Z/kes-linux-windows-amd64.exe" -OutFile "C:\kes.exe"
C:\kes.exe --version
2) Generate TLS Certificates for KES and MinIO
The following commands creates two TLS certificates that expire within 30 days of creation:
A TLS certificate for KES to secure communications between it and the Vault deployment
A TLS certificate for MinIO to perform mTLS authentication to KES.
Use Caution in Production Environments
DO NOT use the TLS certificates generated as part of this procedure for any long-term development or production environments.
Defer to organization/industry best practices around TLS certificate generation and management. A complete guide to creating valid certificates (e.g. well-formed, current, and trusted) is beyond the scope of this procedure.
# These commands output the certificates to C:\minio-kes-azure\certs
C:\kes.exe identity new \
--key C:\minio-kes-azure\certs\kes-server.key \
--cert C:\minio-kes-azure\certs\kes-server.cert \
--ip "127.0.0.1" \
--dns localhost
C:\kes.exe identity new \
--key C:\minio-kes-azure\certs\minio-kes.key \
--cert C:\minio-kes-azure\certs\minio-kes.cert \
--ip "127.0.0.1" \
--dns localhost
The --ip
and --dns
parameters set the IP and DNS SubjectAlternativeName
for the certificate.
The above example assumes that all components (Vault, MinIO, and KES) deploy on the same local host machine accessible via localhost
or 127.0.0.1
.
You can specify additional IP or Hostnames based on the network configuration of your local host.
Depending on your Vault configuration, you may need to pass the kes-server.cert
as a trusted Certificate Authority. See the Hashicorp Server Configuration Documentation for more information.
Defer to the client documentation for instructions on trusting a third-party CA.
3) Create the KES and MinIO Configurations
Create the KES Configuration File
Create the configuration file using your preferred text editor. The following example uses the Windows Notepad program:
notepad C:\minio-kes-azure\config\kes-config.yaml
KES uses a YAML-formatted configuration file. The following example YAML specifies the minimum required fields for enabling SSE using AWS Secrets Manager:
address: 0.0.0.0:7373 # Disable the root identity, as we do not need that level of access for # supporting SSE operations. root: disabled # Specify the TLS keys generated in the previous step here # For production environments, use keys signed by a known and trusted # Certificate Authority (CA). tls: key: C:\minio-kes-azure\certs\kes-server.key cert: C:\minio-kes-azure\certs\kes-server.cert # Create a policy named 'minio' that grants access to the # /create, /generate, and /decrypt KES APIs for any key name # KES uses mTLS to grant access to this policy, where only the client # whose TLS certificate hash matches one of the "identities" can # use this policy. Specify the hash of the MinIO server TLS certificate # hash here. policy: minio: allow: - /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names - /v1/key/generate/* # e.g. '/minio-' - /v1/key/decrypt/* - /v1/key/bulk/decrypt - /v1/key/list/* - /v1/status - /v1/metrics - /v1/log/audit - /v1/log/error identities: - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert' # Specify the connection information for the Key Vualt endpoint. # The endpoint should be resolvable from the host. # This example assumes that the specified Key Vault and Azure tenant/client # have the necessary permissions set. keystore: azure: keyvault: endpoint: "https://<keyvaultinstance>vault.azure.net" # The Azure Keyvault Instance Endpoint credentials: tenant_id: "${TENANTID}" # The directory/tenant UUID client_id: "${CLIENTID}" # The application/client UUID client_secret: "${CLIENTSECRET}" # The Active Directory secret for the application
Set
MINIO_IDENTITY_HASH
to the identity hash of the MinIO mTLS certificate.The following command computes the necessary hash:
kes.exe tool identity of C:\minio-kes-azure\certs/minio-kes.cert
Replace the
endpoint
with the URL for the Keyvault instance.Set
TENANTID
,CLIENTID
, andCLIENTSECRET
to match the credentials for a project user with the required permissions.
Create the MinIO Environment File
Create the environment file using your preferred text editor. The following example uses the Windows Notepad program:
notepad C:\minio-kes-azure\config\minio
Add the following lines to the MinIO Environment file on the Windows host. See the tutorials for Deploy MinIO: Single-Node Single-Drive for more detailed descriptions of a base MinIO environment file.
This command assumes the
minio-kes.cert
,minio-kes.key
, andkes-server.cert
certificates are accessible at the specified location:# Add these environment variables to the existing environment file MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373 MINIO_KMS_KES_CERT_FILE=C:\minio-kes-azure\certs\minio-kes.cert MINIO_KMS_KES_KEY_FILE=C:\minio-kes-azure\certs\minio-kes.key MINIO_KMS_KES_CAPATH=C:\minio-kes-azure\certs\kes-server.cert MINIO_KMS_KES_KEY_NAME=minio-backend-default-key MINIO_KMS_KES_ENCLAVE=<name>
MinIO uses the
MINIO_KMS_KES_KEY_NAME
key for the following cryptographic operations:Encrypting the MinIO backend (IAM, configuration, etc.)
Encrypting objects using SSE-KMS if the request does not include a specific EK.
Encrypting objects using SSE-S3.
MinIO uses the
MINIO_KMS_KES_ENCLAVE
key to define the name of the KES enclave to use for stateful KES servers.Replace
<name>
with the name of the enclave to use.If not defined, MinIO does not send any enclave information. This may result in using the default enclave for stateful KES servers.
A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server.
The
minio-kes
certificates enable mTLS between the MinIO deployment and the KES server only. They do not otherwise enable TLS for other client connections to MinIO.
4) Start KES and MinIO
You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.
Start the KES Server
Run the following command in a terminal or shell to start the KES server as a foreground process.
C:\kes.exe server --auth --config=C:\minio-kes-azure\config\config\kes-config.yaml
Defer to the documentation for your MacOS Operating System version for instructions on running a process in the background.
Start the MinIO Server
Run the following command in a terminal or shell to start the MinIO server as a foreground process.
export MINIO_CONFIG_ENV_FILE=C:\minio-kes-azure\config\config\minio C:\minio.exe server --console-address :9090
5) Generate a New Encryption Key
MinIO requires that the EK exist on the root KMS before performing SSE operations using that key.
Use kes key create
or mc admin kms key create
to create a new EK for use with SSE.
The following command uses the kes key create
command to create a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=C:\minio-kes-azure\certs\minio-kes.key
export KES_CLIENT_CERT=C:\minio-kes-azure\certs\minio-kes.cert
C:\kes.exe key create -k encrypted-bucket-key
6) Enable SSE-KMS for a Bucket
You can use either the MinIO Console or the MinIO mc
CLI to enable bucket-default SSE-KMS with the generated key:
Open the MinIO Console by navigating to http://127.0.0.1:9090 in your preferred browser and logging in with the root credentials specified to the MinIO container.
If you deployed MinIO using a different Console listen port, substitute 9090
with that port value.
Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.
Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.
Select SSE-KMS, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.
The following commands:
Create a new alias for the MinIO deployment
Create a new bucket for storing encrypted data
Enable SSE-KMS encryption on that bucket
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using mc cp
or any S3-compatible SDK with a PutObject
function.
You can then run mc stat
on the file to confirm the associated encryption metadata.
Configuration Reference for Azure Key Vault Root KMS
The following section describes each of the Key Encryption Service (KES) configuration settings for using Azure Key Vault as the root Key Management Service (KMS) for SSE:
Important
Starting with https://github.com/minio/minio/releases/tag/RELEASE.2023-02-17T17-52-43Z, MinIO requires expanded KES permissions for functionality. The example configuration in this section contains all required permissions.
Fields with ${<STRING>}
use the environment variable matching the <STRING>
value.
You can use this functionality to set credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the policy.minio-server
section and instead set the ${MINIO_IDENTITY}
hash as the ${ROOT_IDENTITY}
.
address: 0.0.0.0:7373
root: ${ROOT_IDENTITY}
tls:
key: kes-server.key
cert: kes-server.cert
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list/*
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}
keys:
- name: "minio-encryption-key-alpha"
- name: "minio-encryption-key-baker"
- name: "minio-encryption-key-charlie"
keystore:
azure:
keyvault:
endpoint: "https://<keyvaultinstance>.vault.azure.net"
credentials:
tenant_id: "${TENANTID}" # The directory/tenant UUID
client_id: "${CLIENTID}" # The application/client UUID
client_secret: "${CLIENTSECRET}" # The Active Directory secret for the application
Key |
Description |
---|---|
|
The network address and port the KES server listens to on startup.
Defaults to port |
|
The identity for the KES superuser ( Specify |
|
The TLS private key and certificate used by KES for establishing TLS-secured communications.
Specify the full path for both the private |
|
Specify one or more policies to control access to the KES server. MinIO SSE requires access to the following KES cryptographic APIs:
Specifying additional keys does not expand MinIO SSE functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations. You can restrict the range of key names MinIO can create as part of performing
SSE by specifying a prefix before the KES uses mTLS to authorize connecting clients by comparing the
hash of the TLS certificate against the |
|
Specify an array of keys which must exist on the root KMS for KES to successfully start. KES attempts to create the keys if they do not exist and exits with an error if it fails to create any key. KES does not accept any client requests until it completes validation of all specified keys. |
|
The configuration for the Azure Key Vault
|