2020-02-05 08:08:47 +01:00
# KMS Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
2018-08-17 12:52:14 -07:00
2020-09-13 16:23:18 -07:00
MinIO uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption is enabled, the MinIO server encrypts each object with an unique object key which is protected by a master key managed by the KMS.
2018-12-12 07:50:29 +01:00
2020-05-20 03:33:11 +02:00
## Quick Start
2020-09-13 16:23:18 -07:00
MinIO supports multiple KMS implementations via our [KES ](https://github.com/minio/kes#kes ) project. We run a KES instance at `https://play.min.io:7373` for you to experiment and quickly get started. To run MinIO with a KMS just fetch the root identity, set the following environment variables and then start your MinIO server. If you havn't installed MinIO, yet, then follow the MinIO [install instructions ](https://docs.min.io/docs/minio-quickstart-guide ) first.
2020-05-20 03:33:11 +02:00
2020-05-20 22:55:54 +02:00
#### 1. Fetch the root identity
As the initial step, fetch the private key and certificate of the root identity:
```sh
curl -sSL --tlsv1.2 \
-O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \
-O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'
```
#### 2. Set the MinIO-KES configuration
```sh
export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
export MINIO_KMS_KES_KEY_FILE=root.key
export MINIO_KMS_KES_CERT_FILE=root.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key
```
#### 3. Start the MinIO Server
```sh
2021-01-05 10:22:57 -08:00
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
2020-05-20 22:55:54 +02:00
minio server ~/export
```
2020-05-20 03:33:11 +02:00
> The KES instance at `https://play.min.io:7373` is meant to experiment and provides a way to get started quickly.
> Note that anyone can access or delete master keys at `https://play.min.io:7373`. You should run your own KES
> instance in production.
## Configuration Guides
A typical MinIO deployment that uses a KMS for SSE-S3 looks like this:
2020-02-05 08:08:47 +01:00
```
2020-05-01 21:36:30 +02:00
┌────────────┐
│ ┌──────────┴─┬─────╮ ┌────────────┐
└─┤ ┌──────────┴─┬───┴──────────┤ ┌──────────┴─┬─────────────────╮
└─┤ ┌──────────┴─┬─────┬──────┴─┤ KES Server ├─────────────────┤
└─┤ MinIO ├─────╯ └────────────┘ ┌────┴────┐
└────────────┘ │ KMS │
└─────────┘
2020-09-03 12:43:45 -07:00
```
2018-12-18 22:00:32 +01:00
2020-09-13 16:23:18 -07:00
In a given setup, there are `n` MinIO instances talking to `m` KES servers but only `1` central KMS. The most simple setup consists of `1` MinIO server or cluster talking to `1` KMS via `1` KES server.
2019-07-17 21:55:26 +02:00
2020-09-13 16:23:18 -07:00
The main difference between various MinIO-KMS deployments is the KMS implementation. The following table helps you select the right option for your use case:
2019-07-17 21:55:26 +02:00
2020-10-06 14:09:43 -04:00
| KMS | Purpose |
|:---------------------------------------------------------------------------------------------|:------------------------------------------------------------------|
| [Hashicorp Vault ](https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore ) | Local KMS. MinIO and KMS on-prem (**Recommended**) |
| [AWS-KMS + SecretsManager ](https://github.com/minio/kes/wiki/AWS-SecretsManager ) | Cloud KMS. MinIO in combination with a managed KMS installation |
2021-01-16 12:08:02 -08:00
| [Gemalto KeySecure /Thales CipherTrust ](https://github.com/minio/kes/wiki/Gemalto-KeySecure ) | Local KMS. MinIO and KMS On-Premises. |
| [Google Cloud Platform SecretManager ](https://github.com/minio/kes/wiki/GCP-SecretManager ) | Cloud KMS. MinIO in combination with a managed KMS installation |
2020-10-06 14:09:43 -04:00
| [FS ](https://github.com/minio/kes/wiki/Filesystem-Keystore ) | Local testing or development (**Not recommended for production**) |
2020-09-03 12:43:45 -07:00
2020-09-13 16:23:18 -07:00
The MinIO-KES configuration is always the same - regardless of the underlying KMS implementation. Checkout the MinIO-KES [configuration example ](https://github.com/minio/kes/wiki/MinIO-Object-Storage ).
2020-02-05 08:08:47 +01:00
2020-05-20 03:33:11 +02:00
### Further references
2019-07-17 21:55:26 +02:00
2020-09-03 12:43:45 -07:00
- [Run MinIO with TLS / HTTPS ](https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html )
- [Tweak the KES server configuration ](https://github.com/minio/kes/wiki/Configuration )
- [Run a load balancer infront of KES ](https://github.com/minio/kes/wiki/TLS-Proxy )
- [Understand the KES server concepts ](https://github.com/minio/kes/wiki/Concepts )
2019-07-17 21:55:26 +02:00
2020-05-20 03:33:11 +02:00
## Auto Encryption
2020-09-13 16:23:18 -07:00
Auto-Encryption is useful when MinIO administrator wants to ensure that all data stored on MinIO is encrypted at rest.
2018-12-14 22:35:48 +01:00
2020-09-13 16:23:18 -07:00
### Using `mc encrypt` (recommended)
2020-09-03 12:43:45 -07:00
MinIO automatically encrypts all objects on buckets if KMS is successfully configured and bucket encryption configuration is enabled for each bucket as shown below:
```
2020-12-01 18:00:49 -06:00
mc encrypt set sse-s3 myminio/bucket/
2020-09-03 12:43:45 -07:00
```
2018-12-14 22:35:48 +01:00
2020-09-03 12:43:45 -07:00
Verify if MinIO has `sse-s3` enabled
2019-07-15 17:32:15 -07:00
```
2020-09-03 12:43:45 -07:00
mc encrypt info myminio/bucket/
Auto encryption 'sse-s3' is enabled
2018-12-14 22:35:48 +01:00
```
2020-09-13 16:23:18 -07:00
### Using environment (deprecated)
2020-12-07 19:02:20 -08:00
> NOTE: The following ENV might be removed in future, you are advised to move to the previously recommended approach using `mc encrypt`. S3 gateway supports encryption at gateway layer which may be dropped in favor of simplicity at a later time. It is advised that S3 gateway users migrate to MinIO server mode or enable encryption at REST at the backend.
2020-09-13 16:23:18 -07:00
MinIO automatically encrypts all objects on buckets if KMS is successfully configured and following ENV is enabled:
```
export MINIO_KMS_AUTO_ENCRYPTION=on
```
2020-09-03 12:43:45 -07:00
2020-09-13 16:23:18 -07:00
### Verify auto-encryption
2020-02-05 08:08:47 +01:00
> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends
> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to
2020-09-03 12:43:45 -07:00
> the configured KMS.
2020-02-05 08:08:47 +01:00
2020-09-03 12:43:45 -07:00
To verify auto-encryption, use the following `mc` command:
2018-12-14 16:21:41 -08:00
2019-07-15 17:32:15 -07:00
```
2020-05-20 03:33:11 +02:00
mc cp test.file myminio/bucket/
2018-12-14 16:21:41 -08:00
test.file: 5 B / 5 B ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ 100.00% 337 B/s 0s
2020-09-03 12:43:45 -07:00
```
2020-05-20 03:33:11 +02:00
2020-09-03 12:43:45 -07:00
```
2020-05-20 03:33:11 +02:00
mc stat myminio/bucket/test.file
2018-12-14 16:21:41 -08:00
Name : test.file
...
Encrypted :
X-Amz-Server-Side-Encryption: AES256
```
2020-02-05 08:08:47 +01:00
## Explore Further
2018-08-17 12:52:14 -07:00
2019-04-09 11:39:42 -07:00
- [Use `mc` with MinIO Server ](https://docs.min.io/docs/minio-client-quickstart-guide )
- [Use `aws-cli` with MinIO Server ](https://docs.min.io/docs/aws-cli-with-minio )
- [Use `s3cmd` with MinIO Server ](https://docs.min.io/docs/s3cmd-with-minio )
- [Use `minio-go` SDK with MinIO Server ](https://docs.min.io/docs/golang-client-quickstart-guide )
- [The MinIO documentation website ](https://docs.min.io )