kms: encrypt IAM/config data with the KMS (#12041)

This commit changes the config/IAM encryption
process. Instead of encrypting config data
(users, policies etc.) with the root credentials
MinIO now encrypts this data with a KMS - if configured.

Therefore, this PR moves the MinIO-KMS configuration (via
env. variables) to a "top-level" configuration.
The KMS configuration cannot be stored in the config file
since it is used to decrypt the config file in the first
place.

As a consequence, this commit also removes support for
Hashicorp Vault - which has been deprecated anyway.

Signed-off-by: Andreas Auernhammer <aead@mail.de>

cmd/config/cache/lookup.go

@@ -48,7 +48,7 @@ const (
 	EnvCacheRange         = "MINIO_CACHE_RANGE"
 	EnvCacheCommit        = "MINIO_CACHE_COMMIT"
 
-	EnvCacheEncryptionMasterKey = "MINIO_CACHE_ENCRYPTION_MASTER_KEY"
+	EnvCacheEncryptionKey = "MINIO_CACHE_ENCRYPTION_SECRET_KEY"
 
 	DefaultExpiry        = "90"
 	DefaultQuota         = "80"

cmd/config/constants.go

@@ -23,24 +23,29 @@ const (
 
 // Top level common ENVs
 const (
-	EnvAccessKey       = "MINIO_ACCESS_KEY"
-	EnvSecretKey       = "MINIO_SECRET_KEY"
-	EnvRootUser        = "MINIO_ROOT_USER"
-	EnvRootPassword    = "MINIO_ROOT_PASSWORD"
-	EnvAccessKeyOld    = "MINIO_ACCESS_KEY_OLD"
-	EnvSecretKeyOld    = "MINIO_SECRET_KEY_OLD"
-	EnvRootUserOld     = "MINIO_ROOT_USER_OLD"
-	EnvRootPasswordOld = "MINIO_ROOT_PASSWORD_OLD"
-	EnvBrowser         = "MINIO_BROWSER"
-	EnvDomain          = "MINIO_DOMAIN"
-	EnvRegionName      = "MINIO_REGION_NAME"
-	EnvPublicIPs       = "MINIO_PUBLIC_IPS"
-	EnvFSOSync         = "MINIO_FS_OSYNC"
-	EnvArgs            = "MINIO_ARGS"
-	EnvDNSWebhook      = "MINIO_DNS_WEBHOOK_ENDPOINT"
+	EnvAccessKey    = "MINIO_ACCESS_KEY"
+	EnvSecretKey    = "MINIO_SECRET_KEY"
+	EnvRootUser     = "MINIO_ROOT_USER"
+	EnvRootPassword = "MINIO_ROOT_PASSWORD"
+
+	EnvBrowser    = "MINIO_BROWSER"
+	EnvDomain     = "MINIO_DOMAIN"
+	EnvRegionName = "MINIO_REGION_NAME"
+	EnvPublicIPs  = "MINIO_PUBLIC_IPS"
+	EnvFSOSync    = "MINIO_FS_OSYNC"
+	EnvArgs       = "MINIO_ARGS"
+	EnvDNSWebhook = "MINIO_DNS_WEBHOOK_ENDPOINT"
 
 	EnvUpdate = "MINIO_UPDATE"
 
+	EnvKMSMasterKey  = "MINIO_KMS_MASTER_KEY" // legacy
+	EnvKMSSecretKey  = "MINIO_KMS_SECRET_KEY"
+	EnvKESEndpoint   = "MINIO_KMS_KES_ENDPOINT"
+	EnvKESKeyName    = "MINIO_KMS_KES_KEY_NAME"
+	EnvKESClientKey  = "MINIO_KMS_KES_KEY_FILE"
+	EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE"
+	EnvKESServerCA   = "MINIO_KMS_KES_CAPATH"
+
 	EnvEndpoints = "MINIO_ENDPOINTS" // legacy
 	EnvWorm      = "MINIO_WORM"      // legacy
 	EnvRegion    = "MINIO_REGION"    // legacy

cmd/config/crypto.go

@@ -28,6 +28,30 @@ import (
 	"github.com/secure-io/sio-go/sioutil"
 )
 
+// EncryptBytes encrypts the plaintext with a key managed by KMS.
+// The context is bound to the returned ciphertext.
+//
+// The same context must be provided when decrypting the
+// ciphertext.
+func EncryptBytes(KMS kms.KMS, plaintext []byte, context kms.Context) ([]byte, error) {
+	ciphertext, err := Encrypt(KMS, bytes.NewReader(plaintext), context)
+	if err != nil {
+		return nil, err
+	}
+	return io.ReadAll(ciphertext)
+}
+
+// DecryptBytes decrypts the ciphertext using a key managed by the KMS.
+// The same context that have been used during encryption must be
+// provided.
+func DecryptBytes(KMS kms.KMS, ciphertext []byte, context kms.Context) ([]byte, error) {
+	plaintext, err := Decrypt(KMS, bytes.NewReader(ciphertext), context)
+	if err != nil {
+		return nil, err
+	}
+	return io.ReadAll(plaintext)
+}
+
 // Encrypt encrypts the plaintext with a key managed by KMS.
 // The context is bound to the returned ciphertext.
 //