kms: encrypt IAM/config data with the KMS (#12041)

This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-24 03:27:44 -05:00 · 2021-04-22 17:45:30 +02:00
parent e05e14309c
commit 3455f786fa
41 changed files with 553 additions and 2157 deletions
--- a/pkg/fips/fips.go
+++ b/pkg/fips/fips.go
@@ -1,3 +1,5 @@
+// +build fips
+
 // MinIO Cloud Storage, (C) 2021 MinIO, Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,8 +14,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-//+build fips
-
 package fips

 import (
@@ -37,6 +37,6 @@ func cipherSuitesTLS() []uint16 {
 	}
 }

-func ellipticCurvesTLS() []tls.Curve {
+func ellipticCurvesTLS() []tls.CurveID {
 	return []tls.CurveID{tls.CurveP256}
 }