- 
                Notifications
    You must be signed in to change notification settings 
- Fork 111
MinIO Object Storage
This guide shows how to setup a kes server and configure a MinIO server to encrypt objects:
First we need to generate a TLS private key and certificate for our kes server. A kes server can only be used with TLS because of authentication & access control.
- 
We create a self-signed certificate for now. For a production setup you MUST use a certificate signed by CA (e.g. your internal CA or a public CA like Let's Encrypt). - openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
- openssl req -new -x509 -days 365 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost"
 
- 
Now you have a server.key and server.cert file. Next, we create the root identity: 
 key tool identity new --key="root.key" --cert="root.cert" rootNote that we create a private key ( root.key) and a certificate (root.cert) for TLS client authentication. Again, the certificate is not signed by a CA that is trusted by the kes server. That is not a security issue per se since only clients with public keys/certificates that are known to the server can perform operations based on policies. However, we recommend to use client certificates that were issued by a trusted CA. Then the kes server does not even accept connections from untrusted clients.
- 
Since we don't want to give our MinIO instance root capabilities we also create a minio-1identity:
 key tool identity new --key="minio-1.key" --cert="minio-1.cert" minio-1
- 
Next, we create a policy that allows MinIO to derive and decrypt data keys: cat > minio-1-policy.toml <<EOF paths = ["/v1/key/generate/minio-1-*" , "/v1/key/decrypt/minio-1-*"] EOF
- 
Now, we can start a key server in a new window/tab: kes server \ --mtls-auth=ignore --tls-key=server.key --tls-cert=server.cert --root=$(kes tool identity of root.cert)Note that this will start a kes server without a persistent key store. So every kes we create will be gone once we stop/restart the server, and therefore, all objects we've encrypted so far remain encrypted forever. This command is just for dev / testing purposes only. For a secure and persistent key store take a look at e.g. Hashicorp Vault. 
- 
We have to add our minio-1-policy.tomlto the server and assign theminio-1identity to the policy:- export KES_CLIENT_TLS_CERT_FILE=root.cert
- export KES_CLIENT_TLS_KEY_FILE=root.key
- key policy add -k minio-1 minio-1-policy.toml
- key identity assign -k $(kes tool identity of minio-1.cert) minio-1
 We can check that the minio-1 identity is correctly assigned to the minio-1 policy via: 
 kes identity list -k
- 
Finally we create one master key for MinIO. MinIO will later request an unique key per object from the kes server using the /v1/key/generate/API call. Observe that the key name has to match the pattern:minio-1-*according to the minio-1-policy.toml:
 kes key create minio-1-key-1 -k
First, you need to install MinIO. Therefore, follow the Quickstart guide. Then, connecting MinIO to the kes server is very easy. Just set the following environment variables and start the server:
- 
- export MINIO_KMS_KES_ENDPOINT=https://localhost:7373
- export MINIO_KMS_KES_KEY_FILE=minio-1.key
- export MINIO_KMS_KES_CERT_FILE=minio-1.cert
- export MINIO_KMS_KES_CA_PATH=server.cert
- export MINIO_KMS_KES_KEY_NAME=minio-1-key-1
 
- 
- export MINIO_ACCESS_KEY=minio
- export MINIO_SECRET_KEY=minio123
- `minio server /tmp/minio-1