From 804a23a06d514f0a060a8458bafa8a41fd1873ce Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Tue, 4 May 2021 10:06:16 -0700 Subject: [PATCH] update docs to remove _OLD credential references also update the docs about config, IAM on encryption. --- cmd/config/errors.go | 5 ----- docs/config/README.md | 20 +------------------- 2 files changed, 1 insertion(+), 24 deletions(-) diff --git a/cmd/config/errors.go b/cmd/config/errors.go index 5b4de838d..a935e5b9b 100644 --- a/cmd/config/errors.go +++ b/cmd/config/errors.go @@ -120,11 +120,6 @@ var ( "Please check the passed value", "MINIO_CACHE_AFTER cannot be used with MINIO_CACHE_COMMIT setting", ) - ErrInvalidRotatingCredentialsBackendEncrypted = newErrFn( - "Invalid rotating credentials", - "Please set correct rotating credentials in the environment for decryption", - `Detected encrypted config backend, correct old access and secret keys should be specified via environment variables MINIO_ROOT_USER_OLD and MINIO_ROOT_PASSWORD_OLD to be able to re-encrypt the MinIO config, user IAM and policies with new credentials`, - ) ErrInvalidCredentialsBackendEncrypted = newErrFn( "Invalid credentials", diff --git a/docs/config/README.md b/docs/config/README.md index 1f7809a07..50ceda039 100644 --- a/docs/config/README.md +++ b/docs/config/README.md @@ -12,7 +12,7 @@ Additionally `--config-dir` is now a legacy option which will is scheduled for r minio server /data ``` -MinIO also encrypts all the config, IAM and policies content with admin credentials. +MinIO also encrypts all the config, IAM and policies content if KMS is configured. Please refer to how to encrypt your config and IAM credentials [here](https://github.com/minio/minio/blob/master/docs/kms/IAM.md) ### Certificate Directory @@ -40,24 +40,6 @@ export MINIO_ROOT_PASSWORD=minio13 minio server /data ``` -##### Rotating encryption with new credentials - -Additionally if you wish to change the admin credentials, then MinIO will automatically detect this and re-encrypt with new credentials as shown below. For one time only special ENVs as shown below needs to be set for rotating the encryption config. - -> Old ENVs are never remembered in memory and are destroyed right after they are used to migrate your existing content with new credentials. You are safe to remove them after the server as successfully started, by restarting the services once again. - -```sh -export MINIO_ROOT_USER=newminio -export MINIO_ROOT_PASSWORD=newminio123 -export MINIO_ROOT_USER_OLD=minio -export MINIO_ROOT_PASSWORD_OLD=minio123 -minio server /data -``` - -Once the migration is complete, server will automatically unset the `MINIO_ROOT_USER_OLD` and `MINIO_ROOT_PASSWORD_OLD` with in the process namespace. - -> **NOTE: Make sure to remove `MINIO_ROOT_USER_OLD` and `MINIO_ROOT_PASSWORD_OLD` in scripts or service files before next service restarts of the server to avoid double encryption of your existing contents.** - #### Region ``` KEY: