Add support for SSE-S3 server side encryption with vault (#6192)

Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2025-11-21 02:09:08 -05:00 · 2018-08-17 12:52:14 -07:00
parent 3d197c1449
commit e71ef905f9
236 changed files with 23463 additions and 608 deletions
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@@ -91,6 +91,12 @@ ENVIRONMENT VARIABLES:
     MINIO_DOMAIN:    To enable bucket DNS requests, set this value to Minio host domain name.
     MINIO_PUBLIC_IPS: To enable bucket DNS requests, set this value to list of Minio host public IP(s) delimited by ",".
     MINIO_ETCD_ENDPOINTS: To enable bucket DNS requests, set this value to list of etcd endpoints delimited by ",".
+	
+   KMS:
+     MINIO_SSE_VAULT_ENDPOINT: To enable Vault as KMS,set this value to Vault endpoint.
+     MINIO_SSE_VAULT_APPROLE_ID: To enable Vault as KMS,set this value to Vault AppRole ID.
+     MINIO_SSE_VAULT_APPROLE_SECRET: To enable Vault as KMS,set this value to Vault AppRole Secret ID.
+     MINIO_SSE_VAULT_KEY_NAME: To enable Vault as KMS,set this value to Vault encryption key-ring name.

 EXAMPLES:
  1. Start minio server on "/home/shared" directory.
@@ -117,6 +123,13 @@ EXAMPLES:
     $ export MINIO_CACHE_EXPIRY=40
     $ export MINIO_CACHE_MAXUSE=80
     $ {{.HelpName}} /home/shared
+	
+  7. Start minio server with KMS enabled.
+     $ export MINIO_SSE_VAULT_APPROLE_ID=9b56cc08-8258-45d5-24a3-679876769126
+     $ export MINIO_SSE_VAULT_APPROLE_SECRET=4e30c52f-13e4-a6f5-0763-d50e8cb4321f
+     $ export MINIO_SSE_VAULT_ENDPOINT=https://vault-endpoint-ip:8200
+     $ export MINIO_SSE_VAULT_KEY_NAME=my-minio-key
+     $ {{.HelpName}} /home/shared
 `,
 }