mirror of https://github.com/minio/minio.git
a6f4cf61f2
This commit adds a new method `UpdateKey` to the KMS interface. The purpose of `UpdateKey` is to re-wrap an encrypted data key (the key generated & encrypted with a master key by e.g. Vault). For example, consider Vault with a master key ID: `master-key-1` and an encrypted data key `E(dk)` for a particular object. The data key `dk` has been generated randomly when the object was created. Now, the KMS operator may "rotate" the master key `master-key-1`. However, the KMS cannot forget the "old" value of that master key since there is still an object that requires `dk`, and therefore, the `D(E(dk))`. With the `UpdateKey` method call MinIO can ask the KMS to decrypt `E(dk)` with the old key (internally) and re-encrypted `dk` with the new master key value: `E'(dk)`. However, this operation only works for the same master key ID. When rotating the data key (replacing it with a new one) then we perform a `UnsealKey` operation with the 1st master key ID and then a `GenerateKey` operation with the 2nd master key ID. This commit also updates the KMS documentation and removes the `encrypt` policy entry (we don't use `encrypt`) and add a policy entry for `rewarp`. |
||
|---|---|---|
| .. | ||
| bigdata | ||
| bucket/notifications | ||
| chroot | ||
| compression | ||
| config | ||
| deployment/kernel-tuning | ||
| disk-caching | ||
| distributed | ||
| docker | ||
| erasure | ||
| federation/lookup | ||
| gateway | ||
| kms | ||
| logging | ||
| metrics | ||
| multi-tenancy | ||
| multi-user | ||
| orchestration | ||
| screenshots | ||
| security | ||
| select | ||
| shared-backend | ||
| sts | ||
| tls | ||
| zh_CN | ||
| minio-limits.md | ||