diff --git a/Dockerfile b/Dockerfile index 3248e59cd..1e908d8ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,8 @@ FROM alpine:3.9 ENV MINIO_UPDATE off ENV MINIO_ACCESS_KEY_FILE=access_key \ - MINIO_SECRET_KEY_FILE=secret_key + MINIO_SECRET_KEY_FILE=secret_key \ + MINIO_SSE_MASTER_KEY_FILE=sse_master_key EXPOSE 9000 diff --git a/Dockerfile.dev b/Dockerfile.dev index aadecd741..212212685 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -7,7 +7,8 @@ COPY minio /usr/bin/ ENV MINIO_UPDATE off ENV MINIO_ACCESS_KEY_FILE=access_key \ - MINIO_SECRET_KEY_FILE=secret_key + MINIO_SECRET_KEY_FILE=secret_key \ + MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ diff --git a/Dockerfile.release b/Dockerfile.release index 09b8ce8b4..8580f09df 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -18,7 +18,8 @@ COPY dockerscripts/docker-entrypoint.sh /usr/bin/ ENV MINIO_UPDATE off ENV MINIO_ACCESS_KEY_FILE=access_key \ - MINIO_SECRET_KEY_FILE=secret_key + MINIO_SECRET_KEY_FILE=secret_key \ + MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ diff --git a/dockerscripts/docker-entrypoint.sh b/dockerscripts/docker-entrypoint.sh index 997771c4d..831aa948b 100755 --- a/dockerscripts/docker-entrypoint.sh +++ b/dockerscripts/docker-entrypoint.sh @@ -39,6 +39,17 @@ docker_secrets_env() { fi } +## Set SSE_MASTER_KEY from docker secrets if provided +docker_sse_encryption_env() { + SSE_MASTER_KEY_FILE="/run/secrets/$MINIO_SSE_MASTER_KEY_FILE" + + if [ -f "$SSE_MASTER_KEY_FILE" ]; then + MINIO_SSE_MASTER_KEY="$(cat "$SSE_MASTER_KEY_FILE")" + export MINIO_SSE_MASTER_KEY + + fi +} + # su-exec to requested user, if service cannot run exec will fail. docker_switch_user() { if [ -z "${MINIO_USERNAME}" ] || [ -z "${MINIO_GROUPNAME}" ]; then @@ -55,5 +66,8 @@ docker_switch_user() { ## Set access env from secrets if necessary. docker_secrets_env +## Set sse encryption from secrets if necessary. +docker_sse_encryption_env + ## Switch to user if applicable. docker_switch_user "$@" diff --git a/docs/kms/README.md b/docs/kms/README.md index 30c0d4a7b..6bf4235b4 100644 --- a/docs/kms/README.md +++ b/docs/kms/README.md @@ -12,7 +12,7 @@ MinIO supports two different KMS concepts: by enabling or disabling the corresponding master keys on demand. - Direct KMS master keys: - MinIO can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY`. + MinIO can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY` or with a docker secret key. Direct master keys are useful if the storage backend is not on the same machine as the MinIO server, e.g., if network drives or MinIO gateway is used and an external KMS would cause too much management overhead. @@ -215,6 +215,8 @@ minio gateway s3 #### 2.2 Specify a master key +**2.2.1 KMS master key from environment variables** + A KMS master key consists of a master-key ID (CMK) and the 256 bit master key encoded as HEX value separated by a `:`. A KMS master key can be specified directly using: @@ -228,6 +230,23 @@ Please use your own master key. A random master key can be generated using e.g. head -c 32 /dev/urandom | xxd -c 32 -ps ``` +**2.2.2 KMS master key from docker secret** + +Alternatively, you may pass a master key as a [Docker secret](https://docs.docker.com/engine/swarm/secrets/). + +```bash +echo "my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574" | docker secret create sse_master_key +``` + +Obviously, do not use this demo key for anything real! + +To use another secret name, follow the instructions above and replace sse_master_key with your custom names (e.g. my_sse_master_key). +Then, set the MINIO_SSE_MASTER_KEY_FILE environment variable to your secret name: + +```bash +export MINIO_SSE_MASTER_KEY_FILE=my_sse_master_key +``` + ### 3. Test your setup To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.