add howto generate a master key and add master key disclaimer (#6992)

This commit adds a section to the master key documentation
describing how to generate a random 256 bit master key.

Further this commit adds a warning that master keys are not
recommended for production systems because it's (currently)
not possible to replace a master key (e.g. in case of compromise).
This commit is contained in:
Andreas Auernhammer 2018-12-18 22:00:32 +01:00 committed by kannappanr
parent 7da0336ac8
commit 5a5895203b

View File

@ -16,8 +16,8 @@ Minio supports two different KMS concepts:
Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g., Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g.,
if network drives or Minio gateway is used and an external KMS would cause too much management overhead. if network drives or Minio gateway is used and an external KMS would cause too much management overhead.
Note: If the Minio server machine is ever compromised, then the master key must also be Note: KMS master keys are mainly for testing purposes. It's not recommended to use them for production deployments.
treated as compromised. Further if the Minio server machine is ever compromised, then the master key must also be treated as compromised.
**Important:** **Important:**
If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md) If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md)
@ -119,6 +119,12 @@ A KMS master key can be specified directly using:
export MINIO_SSE_MASTER_KEY=my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574 export MINIO_SSE_MASTER_KEY=my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574
``` ```
Please use your own master key. A random master key can be generated using e.g. this command on Linux/Mac/BSD* systems:
```sh
head -c 32 /dev/urandom | xxd -c 32 -ps
```
### 3. Test your setup ### 3. Test your setup
To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests. To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.