kes: add support for encrypted private keys (#14650)

This commit adds support for encrypted KES client private keys. Now, it is possible to encrypt the KES client private key (`MINIO_KMS_KES_KEY_FILE`) with a password. For example, KES CLI already supports the creation of encrypted private keys: ``` kes identity new --encrypt --key client.key --cert client.crt MinIO ``` To decrypt an encrypted private key, the password needs to be provided: ``` MINIO_KMS_KES_KEY_PASSWORD=<password> ``` Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2025-11-07 12:52:58 -05:00 · 2022-03-29 18:53:33 +02:00
parent 81d2b54dfd
commit e955aa7f2a
3 changed files with 46 additions and 8 deletions
--- a/docs/kms/README.md
+++ b/docs/kms/README.md
@@ -120,6 +120,20 @@ Encrypted :
  X-Amz-Server-Side-Encryption: AES256
 ```

+## Encrypted Private Key
+
+MinIO supports encrypted KES client private keys. Therefore, you can use
+an password-protected private keys for `MINIO_KMS_KES_KEY_FILE`. 
+
+When using password-protected private keys for accessing KES you need to
+provide the password via:
+```
+export MINIO_KMS_KES_KEY_PASSWORD=<your-password>
+``` 
+
+Note that MinIO only supports encrypted private keys - not encrypted certificates.
+Certificates are no secrets and sent in plaintext as part of the TLS handshake.
+
 ## Explore Further

 - [Use `mc` with MinIO Server](https://docs.min.io/docs/minio-client-quickstart-guide)