Server-Side Object Encryption with KES
This procedure assumes a single local host machine running the MinIO and KES processes. For instructions on running KES, see the KES docs.
Note
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with SSE enabled and configured for use with your KMS.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and your KMS.
As part of this procedure, you will:
Create a new EK for use with SSE.
Deploy a MinIO server in Single-Node Single-Drive mode configured to use the KES container for supporting SSE.
Configure automatic bucket-default SSE-KMS.
Important
Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.
MinIO requires access to KES and the external KMS to decrypt the backend and start normally.
The KMS must maintain and provide access to the MINIO_KMS_KES_KEY_NAME
.
You cannot disable KES later or “undo” the SSE configuration at a later point.
Prerequisites
Ensure KES Access to a Supported KMS Target
This procedure assumes an existing KES installation connected to a supported KMS installation accessible, both accessible from the local host. Refer to the installation instructions for your supported KMS target to deploy KES and connect it to a KMS solution.
KES Operations Require Unsealed Target
Some supported KMS targets allow you to seal or unseal the vault instance. KES returns an error if the configured KMS service is sealed.
If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. You must unseal the Vault to ensure normal operations.
See the documentation for your chosen KMS solution for more information on whether unsealing may be required.
Refer to the configuration instruction in the KES documentation for your chosen supported KMS:
Deploy or Ensure Access to a MinIO Deployment
This procedure provides instructions for modifying the startup environment variables of a MinIO deployment to enable SSE via KES and the KMS target.
For instructions on new production deployments, see the Multi-Node Multi-Drive (Distributed) tutorial. For instructions on new local or evaluation deployments, see the Single-Node Single-Drive tutorial.
When creating the environment file for the deployment, pause and switch back to this tutorial to include the necessary environment variables to support SSE.
For existing MinIO Deployments, you can modify the existing environment file and restart the deployment as instructed during this procedure.
Deploy MinIO and KES with Server-Side Encryption
Prior to starting these steps, create the following folders:
New-Item -Path "C:\minio-kes-vault\certs" -ItemType "directory"
New-Item -Path "C:\minio-kes-vault\config" -ItemType "directory"
New-Item -Path "C:\minio-kes-vault\minio" -ItemType "directory"
Prerequisite
Depending on your chosen supported KMS target configuration, you may need to pass the kes-server.cert
as a trusted Certificate Authority (CA).
Defer to the client documentation for instructions on trusting a third-party CA.
1) Create the MinIO Configurations
Create the MinIO Environment File
Create the environment file using your preferred text editor. The following example uses the Windows Notepad program:
notepad C:\minio-kes-vault\config\minio
Add the following lines to the MinIO Environment file on the Windows host. See the tutorials for Deploy MinIO: Single-Node Single-Drive for more detailed descriptions of a base MinIO environment file.
This command assumes the minio-kes.cert
, minio-kes.key
, and kes-server.cert
certificates are accessible at the specified location:
# Add these environment variables to the existing environment file
MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
MINIO_KMS_KES_API_KEY=<API-key-identity-string-from-KES>
MINIO_KMS_KES_CAPATH=C:\minio-kes-vault\certs\kes-server.cert
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
Note
An API key is the preferred way to authenticate with the KES server, as it provides a streamlined and secure authentication process to the KES server.
Alternatively, specify the
MINIO_KMS_KES_KEY_FILE
andMINIO_KMS_KES_CERT_FILE
instead ofMINIO_KMS_KES_API_KEY
.API keys are mutually exclusive with certificate-based authentication. Specify either the API key variable or the Key File and Cert File variables.
The documentation on this site uses API keys.
MinIO uses the MINIO_KMS_KES_KEY_NAME
key for the following cryptographic operations:
Encrypting the MinIO backend (IAM, configuration, etc.)
Encrypting objects using SSE-KMS if the request does not include a specific EK.
Encrypting objects using SSE-S3.
The minio-kes
certificates enable mTLS between the MinIO deployment and the KES server only.
They do not otherwise enable TLS for other client connections to MinIO.
2) Start the MinIO Server
Note
You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.
Start the MinIO Server
Run the following command in a terminal or shell to start the MinIO server as a foreground process.
export MINIO_CONFIG_ENV_FILE=C:\minio-kes-vault\config\config\minio
C:\minio.exe server --console-address :9001
3) Generate a New Encryption Key
MinIO requires that the EK exist on the root KMS before performing SSE operations using that key.
Use kes key create
or mc admin kms key create
to create a new EK for use with SSE.
The following command uses the kes key create
command to create a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=C:\minio-kes-vault\certs\minio-kes.key
export KES_CLIENT_CERT=C:\minio-kes-vault\certs\minio-kes.cert
C:\kes.exe key create -k encrypted-bucket-key
4) Enable SSE-KMS for a Bucket
You can use either the MinIO Console or the MinIO mc
CLI to enable bucket-default SSE-KMS with the generated key:
Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO Server.
If you deployed MinIO using a different Console listen port, substitute 9001
with that port value.
Once logged in, create a new Bucket and name it to your preference. Select the Gear icon to open the management view.
Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.
Select SSE-KMS, then enter the name of the key created in the previous step.
Once you save your changes, try to upload a file to the bucket. When viewing that file in the object browser, note that the sidebar metadata includes the SSE encryption scheme and information on the key used to encrypt that object. This indicates the successful encrypted state of the object.
The following commands:
Create a new alias for the MinIO deployment
Create a new bucket for storing encrypted data
Enable SSE-KMS encryption on that bucket
mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
Write a file to the bucket using mc cp
or any S3-compatible SDK with a PutObject
function.
You can then run mc stat
on the file to confirm the associated encryption metadata.