add auto-encryption feature (#6523)

This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502
2025-11-07 12:52:58 -05:00 · 2018-12-14 22:35:48 +01:00
parent bebaff269c
commit d264d2c899
10 changed files with 132 additions and 17 deletions
--- a/docs/kms/README.md
+++ b/docs/kms/README.md
@@ -18,6 +18,12 @@ Minio supports two different KMS concepts:
   Note: If the Minio server machine is ever compromised, then the master key must also be 
   treated as compromised.

+**Important:**  
+If multiple minio server are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md)
+pointing to the *same* backend - for example the same NAS storage - than the KMS configuration **must** be equal for
+all gateways. Otherwise one gateway may not be able to decrypt objects created by another gateway. It's the operators 
+responsibility to ensure that.
+
 ## Get started

 ### 1. Prerequisites
@@ -85,6 +91,12 @@ export MINIO_SSE_VAULT_KEY_NAME=my-minio-key
 minio server ~/export
 ```

+Optionally set `MINIO_SSE_VAULT_CAPATH` to a directory of PEM-encoded CA cert files to use mTLS for client-server authentication.
+
+```
+export MINIO_SSE_VAULT_CAPATH=/home/user/custom-certs
+```
+
 Optionally set `MINIO_SSE_VAULT_NAMESPACE` if AppRole and Transit Secrets engine have been scoped to Vault Namespace

 ```
@@ -93,6 +105,8 @@ export MINIO_SSE_VAULT_NAMESPACE=ns1

 Note: If [Vault Namespaces](https://learn.hashicorp.com/vault/operations/namespaces) are in use, MINIO_SSE_VAULT_NAMESPACE variable needs to be set before setting approle and transit secrets engine.

+
+
 #### 2.2 Specify a master key

 A KMS master key consists of a master-key ID (CMK) and the 256 bit master key encoded as HEX value separated by a `:`.
@@ -106,6 +120,25 @@ export MINIO_SSE_MASTER_KEY=my-minio-key:6368616e676520746869732070617373776f726

 To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.

+### Auto-Encryption
+
+Minio can also enable auto-encryption **if** a valid KMS configuration is specified and the storage backend supports
+encrypted objects. Auto-Encryption, if enabled, ensures that all uploaded objects are encrypted using the specified
+KMS configuration.
+
+Auto-Encryption is useful especially if the Minio operator wants to ensure that objects are **never** stored in 
+plaintext - for example if sensitive data is stored on public cloud storage.
+
+To enable auto-encryption either set the ENV. variable: 
+
+```sh
+export MINIO_SSE_AUTO_ENCRYPTION=on
+```
+
+Note: Auto-Encryption only affects non-SSE-C requests since objects uploaded using SSE-C are already encrypted
+and S3 only allows either SSE-S3 or SSE-C but not both for the same object.   
+
+
 # Explore Further

 - [Use `mc` with Minio Server](https://docs.minio.io/docs/minio-client-quickstart-guide)