kms: encrypt IAM/config data with the KMS (#12041)

This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-20 01:50:24 -05:00 · 2021-04-22 17:45:30 +02:00
parent e05e14309c
commit 3455f786fa
41 changed files with 553 additions and 2157 deletions
--- a/pkg/kms/single-key.go
+++ b/pkg/kms/single-key.go
@@ -52,7 +52,7 @@ func Parse(s string) (KMS, error) {
 }

 // New returns a single-key KMS that derives new DEKs from the
-// given key.
+// given key. The given key must always be 32 bytes.
 func New(keyID string, key []byte) (KMS, error) {
 	if len(key) != 32 {
 		return nil, errors.New("kms: invalid key length " + strconv.Itoa(len(key)))