mirror of https://github.com/minio/minio.git
e71ef905f9
Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. |
||
---|---|---|
.. | ||
README.md |
README.md
KMS Quickstart Guide
KMS feature allows you to use Vault to generate and manages keys which are used by the minio server to encrypt objects.This document explains how to configure Minio with Vault as KMS.
Get started
1. Prerequisites
Install Minio - Minio Quickstart Guide.
2. Configure Vault
Vault as Key Management System requires following to be configured in Vault
- transit backend configured with a named encryption key-ring
- AppRole based authentication with read/update policy for transit backend. In particular, read and update policy are required for the generate data key endpoint and decrypt key endpoint.
Environment variables
You'll need the Vault endpoint, AppRole ID, AppRole SecretID, encryption key-ring name before starting Minio server with Vault as KMS
export MINIO_SSE_VAULT_APPROLE_ID=9b56cc08-8258-45d5-24a3-679876769126
export MINIO_SSE_VAULT_APPROLE_SECRET=4e30c52f-13e4-a6f5-0763-d50e8cb4321f
export MINIO_SSE_VAULT_ENDPOINT=https://vault-endpoint-ip:8200
export MINIO_SSE_VAULT_KEY_NAME=my-minio-key
minio server ~/export
4. Test your setup
To test this setup, access the Minio server via browser or mc
. You’ll see the uploaded files are accessible from the all the Minio endpoints.