minio/docs/kms/README.md

# KMS Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)

KMS feature allows you to use Vault to generate and manage encryption keys for use by the minio server to encrypt objects. This document explains how to configure Minio with Vault as KMS.

## Get started

### 1. Prerequisites
Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide).

### 2. Configure Vault
Vault as Key Management System requires following to be configured in Vault

- [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) backend configured with a named encryption key-ring
- [AppRole](https://www.vaultproject.io/docs/auth/approle.html) based authentication with read/update policy for transit backend. In particular, read and update policy are required for the [Generate Data Key](https://www.vaultproject.io/api/secret/transit/index.html#generate-data-key) endpoint and [Decrypt Data](https://www.vaultproject.io/api/secret/transit/index.html#decrypt-data) endpoint.

Here is a sample quick start for configuring vault with a transit backend and Approle with correct policy 
#### 2.1 Start Vault server in dev mode
In dev mode, Vault server runs in-memory and starts unsealed. Note that running Vault in dev mode is insecure and any data stored in the Vault is lost upon restart.
```
vault server -dev
```

#### 2.2 Set up vault transit backend and create an app role
```
cat > vaultpolicy.hcl <<EOF
path "transit/datakey/plaintext/my-minio-key" { 
  capabilities = [ "read", "update"]
}
path "transit/decrypt/my-minio-key" { 
  capabilities = [ "read", "update"]
}
path "transit/encrypt/my-minio-key" { 
  capabilities = [ "read", "update"]
}

EOF

export VAULT_ADDR='http://127.0.0.1:8200'
vault auth enable approle    # enable approle style auth
vault secrets enable transit  # enable transit secrets engine
vault write -f  transit/keys/my-minio-key  #define a encryption key-ring for the transit path
vault policy write minio-policy ./vaultpolicy.hcl  #define a policy for AppRole to access transit path
vault write auth/approle/role/my-role token_num_uses=0  secret_id_num_uses=0  period=60s # period indicates it is renewable if token is renewed before the period is over
# define an AppRole
vault write auth/approle/role/my-role policies=minio-policy # apply policy to role
vault read auth/approle/role/my-role/role-id  # get Approle ID
vault write -f auth/approle/role/my-role/secret-id

```

The AppRole ID, AppRole Secret Id, Vault endpoint and Vault key name can now be used to start minio server with Vault as KMS.

Note: If [Vault Namespaces](https://learn.hashicorp.com/vault/operations/namespaces) are in use, VAULT_NAMESPACE variable needs to be set before setting approle and transit secrets engine.

### 3. Environment variables

You'll need the Vault endpoint, AppRole ID, AppRole SecretID and encryption key-ring name defined in step 2.2

```sh
export MINIO_SSE_VAULT_APPROLE_ID=9b56cc08-8258-45d5-24a3-679876769126
export MINIO_SSE_VAULT_APPROLE_SECRET=4e30c52f-13e4-a6f5-0763-d50e8cb4321f
export MINIO_SSE_VAULT_ENDPOINT=https://vault-endpoint-ip:8200
export MINIO_SSE_VAULT_KEY_NAME=my-minio-key
minio server ~/export
```

Optionally set `MINIO_SSE_VAULT_CAPATH` as the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
```
export MINIO_SSE_VAULT_CAPATH=/home/user/custom-pems
```

Optionally set `MINIO_SSE_VAULT_NAMESPACE` if AppRole and Transit Secrets engine have been scoped to Vault Namespace
```
export MINIO_SSE_VAULT_NAMESPACE=ns1
```
### 4. Test your setup

To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.

# Explore Further

- [Use `mc` with Minio Server](https://docs.minio.io/docs/minio-client-quickstart-guide)
- [Use `aws-cli` with Minio Server](https://docs.minio.io/docs/aws-cli-with-minio)
- [Use `s3cmd` with Minio Server](https://docs.minio.io/docs/s3cmd-with-minio)
- [Use `minio-go` SDK with Minio Server](https://docs.minio.io/docs/golang-client-quickstart-guide)
- [The Minio documentation website](https://docs.minio.io)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago			`# KMS Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)`

Update KMS readme with vault quick start guide (#6747) 6 years ago			`KMS feature allows you to use Vault to generate and manage encryption keys for use by the minio server to encrypt objects. This document explains how to configure Minio with Vault as KMS.`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
			`## Get started`

			`### 1. Prerequisites`
			`Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide).`

			`### 2. Configure Vault`
			`Vault as Key Management System requires following to be configured in Vault`

Update KMS readme with vault quick start guide (#6747) 6 years ago			`- [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) backend configured with a named encryption key-ring`
			`- [AppRole](https://www.vaultproject.io/docs/auth/approle.html) based authentication with read/update policy for transit backend. In particular, read and update policy are required for the [Generate Data Key](https://www.vaultproject.io/api/secret/transit/index.html#generate-data-key) endpoint and [Decrypt Data](https://www.vaultproject.io/api/secret/transit/index.html#decrypt-data) endpoint.`

			`Here is a sample quick start for configuring vault with a transit backend and Approle with correct policy`
			`#### 2.1 Start Vault server in dev mode`
			`In dev mode, Vault server runs in-memory and starts unsealed. Note that running Vault in dev mode is insecure and any data stored in the Vault is lost upon restart.`
			```
			`vault server -dev`
			```

			`#### 2.2 Set up vault transit backend and create an app role`
			```
			`cat > vaultpolicy.hcl <<EOF`
			`path "transit/datakey/plaintext/my-minio-key" {`
			`capabilities = [ "read", "update"]`
			`}`
			`path "transit/decrypt/my-minio-key" {`
			`capabilities = [ "read", "update"]`
			`}`
			`path "transit/encrypt/my-minio-key" {`
			`capabilities = [ "read", "update"]`
			`}`

			`EOF`

			`export VAULT_ADDR='http://127.0.0.1:8200'`
			`vault auth enable approle # enable approle style auth`
			`vault secrets enable transit # enable transit secrets engine`
			`vault write -f transit/keys/my-minio-key #define a encryption key-ring for the transit path`
			`vault policy write minio-policy ./vaultpolicy.hcl #define a policy for AppRole to access transit path`
			`vault write auth/approle/role/my-role token_num_uses=0 secret_id_num_uses=0 period=60s # period indicates it is renewable if token is renewed before the period is over`
			`# define an AppRole`
			`vault write auth/approle/role/my-role policies=minio-policy # apply policy to role`
			`vault read auth/approle/role/my-role/role-id # get Approle ID`
			`vault write -f auth/approle/role/my-role/secret-id`

			```

			`The AppRole ID, AppRole Secret Id, Vault endpoint and Vault key name can now be used to start minio server with Vault as KMS.`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
Set namespace on vault client if VAULT_NAMESPACE env is set (#6867) 6 years ago			`Note: If [Vault Namespaces](https://learn.hashicorp.com/vault/operations/namespaces) are in use, VAULT_NAMESPACE variable needs to be set before setting approle and transit secrets engine.`

Add Vault support for custom CAs directory (#6527) 6 years ago			`### 3. Environment variables`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
Update KMS readme with vault quick start guide (#6747) 6 years ago			`You'll need the Vault endpoint, AppRole ID, AppRole SecretID and encryption key-ring name defined in step 2.2`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
			```sh
			`export MINIO_SSE_VAULT_APPROLE_ID=9b56cc08-8258-45d5-24a3-679876769126`
			`export MINIO_SSE_VAULT_APPROLE_SECRET=4e30c52f-13e4-a6f5-0763-d50e8cb4321f`
			`export MINIO_SSE_VAULT_ENDPOINT=https://vault-endpoint-ip:8200`
			`export MINIO_SSE_VAULT_KEY_NAME=my-minio-key`
			`minio server ~/export`
			```

Update KMS readme with vault quick start guide (#6747) 6 years ago			Optionally set `MINIO_SSE_VAULT_CAPATH` as the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
Add Vault support for custom CAs directory (#6527) 6 years ago			```
			`export MINIO_SSE_VAULT_CAPATH=/home/user/custom-pems`
			```

rename vault namespace env variable to be more idiomatic (#6905) This commit renames the env variable for vault namespaces such that it begins with `MINIO_SSE_`. This is the prefix for all Minio SSE related env. variables (like KMS). 6 years ago			Optionally set `MINIO_SSE_VAULT_NAMESPACE` if AppRole and Transit Secrets engine have been scoped to Vault Namespace
Set namespace on vault client if VAULT_NAMESPACE env is set (#6867) 6 years ago			```
rename vault namespace env variable to be more idiomatic (#6905) This commit renames the env variable for vault namespaces such that it begins with `MINIO_SSE_`. This is the prefix for all Minio SSE related env. variables (like KMS). 6 years ago			`export MINIO_SSE_VAULT_NAMESPACE=ns1`
Set namespace on vault client if VAULT_NAMESPACE env is set (#6867) 6 years ago			```
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago			`### 4. Test your setup`

Update KMS readme with vault quick start guide (#6747) 6 years ago			`To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
			`# Explore Further`

			- [Use `mc` with Minio Server](https://docs.minio.io/docs/minio-client-quickstart-guide)
			- [Use `aws-cli` with Minio Server](https://docs.minio.io/docs/aws-cli-with-minio)
			- [Use `s3cmd` with Minio Server](https://docs.minio.io/docs/s3cmd-with-minio)
			- [Use `minio-go` SDK with Minio Server](https://docs.minio.io/docs/golang-client-quickstart-guide)
			`- [The Minio documentation website](https://docs.minio.io)`