From eb1f9c9916cdd2d1031b76dfc4e539fd643de6bc Mon Sep 17 00:00:00 2001 From: poornas Date: Mon, 5 Nov 2018 13:01:18 -0800 Subject: [PATCH] Update KMS readme with vault quick start guide (#6747) --- docs/kms/README.md | 50 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/docs/kms/README.md b/docs/kms/README.md index 2e4059b8f..74edb045f 100644 --- a/docs/kms/README.md +++ b/docs/kms/README.md @@ -1,6 +1,6 @@ # KMS Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) -KMS feature allows you to use Vault to generate and manages keys which are used by the minio server to encrypt objects.This document explains how to configure Minio with Vault as KMS. +KMS feature allows you to use Vault to generate and manage encryption keys for use by the minio server to encrypt objects. This document explains how to configure Minio with Vault as KMS. ## Get started @@ -10,13 +10,49 @@ Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quicks ### 2. Configure Vault Vault as Key Management System requires following to be configured in Vault -- transit backend configured with a named encryption key-ring -- AppRole based authentication with read/update policy for transit backend. In particular, read and update policy - are required for the generate data key endpoint and decrypt key endpoint. +- [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) backend configured with a named encryption key-ring +- [AppRole](https://www.vaultproject.io/docs/auth/approle.html) based authentication with read/update policy for transit backend. In particular, read and update policy are required for the [Generate Data Key](https://www.vaultproject.io/api/secret/transit/index.html#generate-data-key) endpoint and [Decrypt Data](https://www.vaultproject.io/api/secret/transit/index.html#decrypt-data) endpoint. + +Here is a sample quick start for configuring vault with a transit backend and Approle with correct policy +#### 2.1 Start Vault server in dev mode +In dev mode, Vault server runs in-memory and starts unsealed. Note that running Vault in dev mode is insecure and any data stored in the Vault is lost upon restart. +``` +vault server -dev +``` + +#### 2.2 Set up vault transit backend and create an app role +``` +cat > vaultpolicy.hcl <