kms: encrypt IAM/config data with the KMS (#12041)

This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-29 21:33:31 -05:00 · 2021-04-22 17:45:30 +02:00
parent e05e14309c
commit 3455f786fa
41 changed files with 553 additions and 2157 deletions
--- a/cmd/crypto/help.go
+++ b/cmd/crypto/help.go
@@ -15,95 +15,3 @@
 */

 package crypto
-
-import "github.com/minio/minio/cmd/config"
-
-// Help template for KMS vault
-var (
-	HelpVault = config.HelpKVS{
-		config.HelpKV{
-			Key:         KMSVaultEndpoint,
-			Description: `API endpoint e.g. "http://vault-endpoint-ip:8200"`,
-			Type:        "url",
-		},
-		config.HelpKV{
-			Key:         KMSVaultKeyName,
-			Description: `unique transit key name - e.g. "my-minio-key"`,
-			Type:        "string",
-		},
-		config.HelpKV{
-			Key:         KMSVaultAuthType,
-			Description: `supported auth type(s) ["approle"], defaults to "approle"`,
-			Type:        "string",
-		},
-		config.HelpKV{
-			Key:         KMSVaultAppRoleID,
-			Description: `unique role ID for approle`,
-			Type:        "string",
-		},
-		config.HelpKV{
-			Key:         KMSVaultAppRoleSecret,
-			Description: `unique secret ID for approle`,
-			Type:        "string",
-		},
-		config.HelpKV{
-			Key:         KMSVaultNamespace,
-			Description: `optional KMS namespace e.g. "customer1"`,
-			Optional:    true,
-			Type:        "string",
-		},
-		config.HelpKV{
-			Key:         KMSVaultKeyVersion,
-			Description: `optional key version number`,
-			Optional:    true,
-			Type:        "number",
-		},
-		config.HelpKV{
-			Key:         KMSVaultCAPath,
-			Description: `optional path to PEM-encoded CA certs e.g. "/home/user/custom-certs"`,
-			Optional:    true,
-			Type:        "path",
-		},
-		config.HelpKV{
-			Key:         config.Comment,
-			Description: config.DefaultComment,
-			Optional:    true,
-			Type:        "sentence",
-		},
-	}
-
-	HelpKes = config.HelpKVS{
-		config.HelpKV{
-			Key:         KMSKesEndpoint,
-			Description: `API endpoint - e.g. "https://kes-endpoint:7373"`,
-			Type:        "url",
-		},
-		config.HelpKV{
-			Key:         KMSKesKeyName,
-			Description: `unique key name - e.g. "my-minio-key"`,
-			Type:        "string",
-		},
-		config.HelpKV{
-			Key:         KMSKesCertFile,
-			Description: `path to client certificate for TLS auth - e.g. /etc/keys/public.crt`,
-			Type:        "path",
-		},
-		config.HelpKV{
-			Key:         KMSKesKeyFile,
-			Description: `path to client private key for TLS auth - e.g. /etc/keys/private.key`,
-			Type:        "path",
-		},
-		config.HelpKV{
-			Key:         KMSKesCAPath,
-			Description: `path to PEM-encoded cert(s) to verify kes server cert - e.g. /etc/keys/CAs`,
-			Optional:    true,
-			Type:        "path",
-		},
-		config.HelpKV{
-			Key:         config.Comment,
-			Description: config.DefaultComment,
-			Optional:    true,
-			Type:        "sentence",
-		},
-	}
-)