add auto-encryption feature (#6523)

This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502
2025-11-20 01:50:24 -05:00 · 2018-12-14 22:35:48 +01:00
parent bebaff269c
commit d264d2c899
10 changed files with 132 additions and 17 deletions
--- a/cmd/gateway-main.go
+++ b/cmd/gateway-main.go
@@ -18,6 +18,7 @@ package cmd

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/url"
 	"os"
@@ -222,7 +223,6 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 		globalHTTPServer.Shutdown()
 		logger.FatalIf(err, "Unable to initialize gateway backend")
 	}
-
 	// Create a new config system.
 	globalConfigSys = NewConfigSys()
 	if globalEtcdClient != nil && gatewayName == "nas" {
@@ -279,6 +279,11 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 	if globalEtcdClient != nil && newObject.IsNotificationSupported() {
 		_ = globalNotificationSys.Init(newObject)
 	}
+
+	if globalAutoEncryption && !newObject.IsEncryptionSupported() {
+		logger.Fatal(errors.New("Invalid KMS configuration"), "auto-encryption is enabled but gateway does not support encryption")
+	}
+
 	// Once endpoints are finalized, initialize the new object api.
 	globalObjLayerMutex.Lock()
 	globalObjectAPI = newObject