kes: add support for encrypted private keys (#14650)

This commit adds support for encrypted KES client private keys. Now, it is possible to encrypt the KES client private key (`MINIO_KMS_KES_KEY_FILE`) with a password. For example, KES CLI already supports the creation of encrypted private keys: ``` kes identity new --encrypt --key client.key --cert client.crt MinIO ``` To decrypt an encrypted private key, the password needs to be provided: ``` MINIO_KMS_KES_KEY_PASSWORD=<password> ``` Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2025-11-07 12:52:58 -05:00 · 2022-03-29 18:53:33 +02:00
parent 81d2b54dfd
commit e955aa7f2a
3 changed files with 46 additions and 8 deletions
--- a/internal/config/constants.go
+++ b/internal/config/constants.go
@@ -62,13 +62,14 @@ const (

 	EnvUpdate = "MINIO_UPDATE"

-	EnvKMSSecretKey     = "MINIO_KMS_SECRET_KEY"
-	EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
-	EnvKESEndpoint      = "MINIO_KMS_KES_ENDPOINT"
-	EnvKESKeyName       = "MINIO_KMS_KES_KEY_NAME"
-	EnvKESClientKey     = "MINIO_KMS_KES_KEY_FILE"
-	EnvKESClientCert    = "MINIO_KMS_KES_CERT_FILE"
-	EnvKESServerCA      = "MINIO_KMS_KES_CAPATH"
+	EnvKMSSecretKey      = "MINIO_KMS_SECRET_KEY"
+	EnvKMSSecretKeyFile  = "MINIO_KMS_SECRET_KEY_FILE"
+	EnvKESEndpoint       = "MINIO_KMS_KES_ENDPOINT"
+	EnvKESKeyName        = "MINIO_KMS_KES_KEY_NAME"
+	EnvKESClientKey      = "MINIO_KMS_KES_KEY_FILE"
+	EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD"
+	EnvKESClientCert     = "MINIO_KMS_KES_CERT_FILE"
+	EnvKESServerCA       = "MINIO_KMS_KES_CAPATH"

 	EnvEndpoints  = "MINIO_ENDPOINTS"   // legacy
 	EnvWorm       = "MINIO_WORM"        // legacy