add auto-encryption feature (#6523)

This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502
2025-11-20 09:56:07 -05:00 · 2018-12-14 22:35:48 +01:00
parent bebaff269c
commit d264d2c899
10 changed files with 132 additions and 17 deletions
--- a/cmd/environment.go
+++ b/cmd/environment.go
@@ -30,6 +30,13 @@ const (
 	// a KMS master key used to protect SSE-S3 per-object keys.
 	// Valid values must be of the from: "KEY_ID:32_BYTE_HEX_VALUE".
 	EnvKMSMasterKey = "MINIO_SSE_MASTER_KEY"
+
+	// EnvAutoEncryption is the environment variable used to en/disable
+	// SSE-S3 auto-encryption. SSE-S3 auto-encryption, if enabled,
+	// requires a valid KMS configuration and turns any non-SSE-C
+	// request into an SSE-S3 request.
+	// If present EnvAutoEncryption must be either "on" or "off".
+	EnvAutoEncryption = "MINIO_SSE_AUTO_ENCRYPTION"
 )

 const (
@@ -141,6 +148,15 @@ func (env environment) LookupKMSConfig(config crypto.KMSConfig) (err error) {
 		}
 		globalKMSKeyID = config.Vault.Key.Name
 	}
+
+	autoEncryption, err := ParseBoolFlag(env.Get(EnvAutoEncryption, "off"))
+	if err != nil {
+		return err
+	}
+	globalAutoEncryption = bool(autoEncryption)
+	if globalAutoEncryption && globalKMS == nil { // auto-encryption enabled but no KMS
+		return errors.New("Invalid KMS configuration: auto-encryption is enabled but no valid KMS configuration is present")
+	}
 	return nil
 }