kms: encrypt IAM/config data with the KMS (#12041)

This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-08 21:24:55 -05:00 · 2021-04-22 17:45:30 +02:00
parent e05e14309c
commit 3455f786fa
41 changed files with 553 additions and 2157 deletions
--- a/cmd/test-utils_test.go
+++ b/cmd/test-utils_test.go
@@ -81,12 +81,9 @@ func TestMain(m *testing.M) {

 	// disable ENVs which interfere with tests.
 	for _, env := range []string{
-		crypto.EnvAutoEncryptionLegacy,
 		crypto.EnvKMSAutoEncryption,
 		config.EnvAccessKey,
-		config.EnvAccessKeyOld,
 		config.EnvSecretKey,
-		config.EnvSecretKeyOld,
 	} {
 		os.Unsetenv(env)
 	}