MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,889 Commits 5 Branches 503 Tags 186 MiB
Commit Graph

6 Commits

Author SHA1 Message Date
Andreas Auernhammer b1845c6c83
kes: try to auto. create master key if not present (#9790) 
This commit changes the data key generation such that
if a MinIO server/nodes tries to generate a new DEK
but the particular master key does not exist - then
MinIO asks KES to create a new master key and then
requests the DEK again.

From now on, a SSE-S3 master key must not be created
explicitly via: `kes key create <key-name>`.
Instead, it is sufficient to just set the env. var.
```
export MINIO_KMS_KES_KEY_NAME=<key-name>
```

However, the MinIO identity (mTLS client certificate)
must have the permission to access the `/v1/key/create/`
API. Therefore, KES policy for MinIO must look similar to:
```
[
  /v1/key/create/<key-name-pattern>
  /v1/key/generate/<key-name-pattern>
  /v1/key/decrypt/<key-name-pattern>
]
```
However, in our guides we already suggest that.
See e.g.: https://github.com/minio/kes/wiki/MinIO-Object-Storage#kes-server-setup

***

The ability to create master keys on request may also be
necessary / useful in case of SSE-KMS.
 2020-06-11 02:00:47 -07:00
Harshavardhana a2ccba69e5
add kes retries upto two times with jitter backoff (#9527) 
KES calls are not retried and under certain situations
when KES is under high load, the request should be
retried automatically.
 2020-05-06 11:44:06 -07:00
Andreas Auernhammer 145f501a21
use HTTP/2 when connecting to KES (#9514) 
This commit makes the KES client use HTTP/2
when establishing a connection to the KES server.

This is necessary since the next KES server release
will require HTTP/2.
 2020-05-04 10:17:13 -07:00
Harshavardhana 933c60bc3a Add crypto context errors (#8740) 
Currently when connections to vault fail, client
perpetually retries this leads to assumptions that
the server has issues and masks the problem.

Re-purpose *crypto.Error* type to send appropriate
errors back to the client.
 2020-01-06 16:15:22 -08:00
Andreas Auernhammer e047ac52b8 remove github.com/minio/kes as a dependency (#8665) 
This commit removes github.com/minio/kes as
a dependency and implements the necessary
client-side functionality without relying
on the KES project.

This resolves the licensing issue since
KES is licensed under AGPL while MinIO
is licensed under Apache.
 2019-12-18 15:10:57 -08:00
Andreas Auernhammer c3d4c1f584 add minio/keys KMS integration (#8631) 
This commit adds support for the minio/kes KMS.
See: https://github.com/minio/kes

In particular you can configure it as KMS by:
 - `export MINIO_KMS_KES_ENDPOINT=`  // Server URL
 - `export MINIO_KMS_KES_KEY_FILE=`  // TLS client private key
 - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate
 - `export MINIO_KMS_KES_CA_PATH=`   // Root CAs issuing server cert
 - `export MINIO_KMS_KES_KEY_NAME=`  // The name of the (default)
master key
 2019-12-13 12:57:11 -08:00