mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
add howto generate a master key and add master key disclaimer (#6992)
This commit adds a section to the master key documentation describing how to generate a random 256 bit master key. Further this commit adds a warning that master keys are not recommended for production systems because it's (currently) not possible to replace a master key (e.g. in case of compromise).
This commit is contained in:
parent
7da0336ac8
commit
5a5895203b
@ -16,8 +16,8 @@ Minio supports two different KMS concepts:
|
|||||||
Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g.,
|
Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g.,
|
||||||
if network drives or Minio gateway is used and an external KMS would cause too much management overhead.
|
if network drives or Minio gateway is used and an external KMS would cause too much management overhead.
|
||||||
|
|
||||||
Note: If the Minio server machine is ever compromised, then the master key must also be
|
Note: KMS master keys are mainly for testing purposes. It's not recommended to use them for production deployments.
|
||||||
treated as compromised.
|
Further if the Minio server machine is ever compromised, then the master key must also be treated as compromised.
|
||||||
|
|
||||||
**Important:**
|
**Important:**
|
||||||
If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md)
|
If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md)
|
||||||
@ -119,6 +119,12 @@ A KMS master key can be specified directly using:
|
|||||||
export MINIO_SSE_MASTER_KEY=my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574
|
export MINIO_SSE_MASTER_KEY=my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Please use your own master key. A random master key can be generated using e.g. this command on Linux/Mac/BSD* systems:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
head -c 32 /dev/urandom | xxd -c 32 -ps
|
||||||
|
```
|
||||||
|
|
||||||
### 3. Test your setup
|
### 3. Test your setup
|
||||||
|
|
||||||
To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.
|
To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.
|
||||||
|
Loading…
Reference in New Issue
Block a user