mirror of
https://github.com/minio/minio.git
synced 2025-01-26 06:03:17 -05:00
b1845c6c83
This commit changes the data key generation such that if a MinIO server/nodes tries to generate a new DEK but the particular master key does not exist - then MinIO asks KES to create a new master key and then requests the DEK again. From now on, a SSE-S3 master key must not be created explicitly via: `kes key create <key-name>`. Instead, it is sufficient to just set the env. var. ``` export MINIO_KMS_KES_KEY_NAME=<key-name> ``` However, the MinIO identity (mTLS client certificate) must have the permission to access the `/v1/key/create/` API. Therefore, KES policy for MinIO must look similar to: ``` [ /v1/key/create/<key-name-pattern> /v1/key/generate/<key-name-pattern> /v1/key/decrypt/<key-name-pattern> ] ``` However, in our guides we already suggest that. See e.g.: https://github.com/minio/kes/wiki/MinIO-Object-Storage#kes-server-setup *** The ability to create master keys on request may also be necessary / useful in case of SSE-KMS.