minio/docs/kms/README.md

# KMS Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)

MinIO uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption
is enabled, the MinIO server encrypts each object with an unique object key which is protected by a master key
managed by the KMS.

## Quick Start

MinIO supports multiple KMS implementations via our [KES](https://github.com/minio/kes#kes) project. We run
a KES instance at `https://play.min.io:7373` for you to experiment and quickly get started. To run MinIO with
a KMS just fetch the root identity, set the following environment variables and then start your MinIO server.
If you havn't installed MinIO, yet, then follow the MinIO [install instructions](https://docs.min.io/docs/minio-quickstart-guide)
first.

#### 1. Fetch the root identity
As the initial step, fetch the private key and certificate of the root identity:

```sh
curl -sSL --tlsv1.2 \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'
```

#### 2. Set the MinIO-KES configuration

```sh
export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
export MINIO_KMS_KES_KEY_FILE=root.key
export MINIO_KMS_KES_CERT_FILE=root.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key
```

#### 3. Start the MinIO Server

```sh
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
minio server ~/export
```

> The KES instance at `https://play.min.io:7373` is meant to experiment and provides a way to get started quickly.
> Note that anyone can access or delete master keys at `https://play.min.io:7373`. You should run your own KES
> instance in production.

## Configuration Guides

A typical MinIO deployment that uses a KMS for SSE-S3 looks like this:
```
    ┌────────────┐
    │ ┌──────────┴─┬─────╮          ┌────────────┐
    └─┤ ┌──────────┴─┬───┴──────────┤ ┌──────────┴─┬─────────────────╮
      └─┤ ┌──────────┴─┬─────┬──────┴─┤ KES Server ├─────────────────┤
        └─┤   MinIO    ├─────╯        └────────────┘            ┌────┴────┐
          └────────────┘                                        │   KMS   │
                                                                └─────────┘
``` 

In a given setup, there are `n` MinIO instances talking to `m` KES servers but only `1` central KMS. The most simple
setup consists of `1` MinIO server or cluster talking to `1` KMS via `1` KES server.

The main difference between various MinIO-KMS deployments is the KMS implementation. The following table
helps you select the right option for your use case:

|                                        KMS                                       | Purpose                                                           |
|:---------------------------------------------------------------------------------|:------------------------------------------------------------------|
| [Hashicorp Vault](https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore)    | Local KMS. MinIO and KMS on-prem (**Recommended**)                |
| [AWS-KMS + SecretsManager](https://github.com/minio/kes/wiki/AWS-SecretsManager) | Cloud KMS. MinIO in combination with a managed KMS installation   |  
| [FS](https://github.com/minio/kes/wiki/Filesystem-Keystore)                      | Local testing or development (**Not recommended for production**) |
 
The MinIO-KES configuration is always the same - regardless of the underlying KMS implementation.
Checkout the MinIO-KES [configuration example](https://github.com/minio/kes/wiki/MinIO-Object-Storage).

### Further references

 - [Run MinIO with TLS / HTTPS](https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html)
 - [Tweak the KES server configuration](https://github.com/minio/kes/wiki/Configuration)
 - [Run a load balancer infront of KES](https://github.com/minio/kes/wiki/TLS-Proxy)
 - [Understand the KES server concepts](https://github.com/minio/kes/wiki/Concepts) 

## Auto Encryption

Optionally, you can instruct the MinIO server to automatically encrypt all objects with keys from the KES
server - even if the client does not specify any encryption headers during the S3 PUT operation.

Auto-Encryption is especially useful when the MinIO operator wants to ensure that all data stored on MinIO
gets encrypted before it's written to the storage backend.

To enable auto-encryption set the environment variable to `on`:
```
export MINIO_KMS_AUTO_ENCRYPTION=on
```

> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends
> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to
> the KMS.

To verify auto-encryption, use the `mc` command:

```
mc cp test.file myminio/bucket/
test.file:              5 B / 5 B  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 337 B/s 0s

mc stat myminio/bucket/test.file
Name      : test.file
...
Encrypted :
  X-Amz-Server-Side-Encryption: AES256
```

## Explore Further

- [Use `mc` with MinIO Server](https://docs.min.io/docs/minio-client-quickstart-guide)
- [Use `aws-cli` with MinIO Server](https://docs.min.io/docs/aws-cli-with-minio)
- [Use `s3cmd` with MinIO Server](https://docs.min.io/docs/s3cmd-with-minio)
- [Use `minio-go` SDK with MinIO Server](https://docs.min.io/docs/golang-client-quickstart-guide)
- [The MinIO documentation website](https://docs.min.io)
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			`# KMS Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
Replace Minio refs in docs with MinIO and links (#7494) 6 years ago			`MinIO uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption`
			`is enabled, the MinIO server encrypts each object with an unique object key which is protected by a master key`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			`managed by the KMS.`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 6 years ago
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`## Quick Start`

			`MinIO supports multiple KMS implementations via our [KES](https://github.com/minio/kes#kes) project. We run`
			a KES instance at `https://play.min.io:7373` for you to experiment and quickly get started. To run MinIO with
			`a KMS just fetch the root identity, set the following environment variables and then start your MinIO server.`
			`If you havn't installed MinIO, yet, then follow the MinIO [install instructions](https://docs.min.io/docs/minio-quickstart-guide)`
			`first.`

fix KMS quickstart guide layout (#9658) This commit fixes a layout issue w.r.t. the KMS Quickstart guide. The problem seems to be caused by docs server not converting the markdown into html as expected. This commit fixes this by converting the ordered list into subsections. 5 years ago			`#### 1. Fetch the root identity`
			`As the initial step, fetch the private key and certificate of the root identity:`

			```sh
			`curl -sSL --tlsv1.2 \`
			`-O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \`
			`-O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'`
			```

			`#### 2. Set the MinIO-KES configuration`

			```sh
			`export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373`
			`export MINIO_KMS_KES_KEY_FILE=root.key`
			`export MINIO_KMS_KES_CERT_FILE=root.cert`
			`export MINIO_KMS_KES_KEY_NAME=my-minio-key`
			```

			`#### 3. Start the MinIO Server`

			```sh
			`export MINIO_ACCESS_KEY=minio`
			`export MINIO_SECRET_KEY=minio123`
			`minio server ~/export`
			```
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago
			> The KES instance at `https://play.min.io:7373` is meant to experiment and provides a way to get started quickly.
			> Note that anyone can access or delete master keys at `https://play.min.io:7373`. You should run your own KES
			`> instance in production.`

			`## Configuration Guides`

			`A typical MinIO deployment that uses a KMS for SSE-S3 looks like this:`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			```
update KMS guide to work with latest KES changes (#9498) This commit updates the KMS guide to reflect the latest changes in KES. Based on internal design meetings we made some adjustments to the overall KES configuration. This commit ensures that the KMS guide contains a working KES demo-setup with Vault. 5 years ago			`┌────────────┐`
			`│ ┌──────────┴─┬─────╮ ┌────────────┐`
			`└─┤ ┌──────────┴─┬───┴──────────┤ ┌──────────┴─┬─────────────────╮`
			`└─┤ ┌──────────┴─┬─────┬──────┴─┤ KES Server ├─────────────────┤`
			`└─┤ MinIO ├─────╯ └────────────┘ ┌────┴────┐`
			`└────────────┘ │ KMS │`
			`└─────────┘`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			```
add howto generate a master key and add master key disclaimer (#6992) This commit adds a section to the master key documentation describing how to generate a random 256 bit master key. Further this commit adds a warning that master keys are not recommended for production systems because it's (currently) not possible to replace a master key (e.g. in case of compromise). 6 years ago
fix KMS quickstart guide layout (#9658) This commit fixes a layout issue w.r.t. the KMS Quickstart guide. The problem seems to be caused by docs server not converting the markdown into html as expected. This commit fixes this by converting the ordered list into subsections. 5 years ago			In a given setup, there are `n` MinIO instances talking to `m` KES servers but only `1` central KMS. The most simple
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			setup consists of `1` MinIO server or cluster talking to `1` KMS via `1` KES server.
Add KMS master key from Docker secret (#7825) 5 years ago
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`The main difference between various MinIO-KMS deployments is the KMS implementation. The following table`
			`helps you select the right option for your use case:`
Add KMS master key from Docker secret (#7825) 5 years ago
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`\| KMS \| Purpose \|`
			`\|:---------------------------------------------------------------------------------\|:------------------------------------------------------------------\|`
			`\| [Hashicorp Vault](https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore) \| Local KMS. MinIO and KMS on-prem (Recommended) \|`
			`\| [AWS-KMS + SecretsManager](https://github.com/minio/kes/wiki/AWS-SecretsManager) \| Cloud KMS. MinIO in combination with a managed KMS installation \|`
			`\| [FS](https://github.com/minio/kes/wiki/Filesystem-Keystore) \| Local testing or development (Not recommended for production) \|`

			`The MinIO-KES configuration is always the same - regardless of the underlying KMS implementation.`
			`Checkout the MinIO-KES [configuration example](https://github.com/minio/kes/wiki/MinIO-Object-Storage).`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`### Further references`
Add KMS master key from Docker secret (#7825) 5 years ago
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`- [Run MinIO with TLS / HTTPS](https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html)`
			`- [Tweak the KES server configuration](https://github.com/minio/kes/wiki/Configuration)`
			`- [Run a load balancer infront of KES](https://github.com/minio/kes/wiki/TLS-Proxy)`
			`- [Understand the KES server concepts](https://github.com/minio/kes/wiki/Concepts)`
Add KMS master key from Docker secret (#7825) 5 years ago
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`## Auto Encryption`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 6 years ago
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			`Optionally, you can instruct the MinIO server to automatically encrypt all objects with keys from the KES`
			`server - even if the client does not specify any encryption headers during the S3 PUT operation.`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 6 years ago
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			`Auto-Encryption is especially useful when the MinIO operator wants to ensure that all data stored on MinIO`
			`gets encrypted before it's written to the storage backend.`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 6 years ago
Small corrections and example for auto-encryption (#6982) 6 years ago			To enable auto-encryption set the environment variable to `on`:
Document vault in prod mode instead of dev mode (#7928) 5 years ago			```
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 5 years ago			`export MINIO_KMS_AUTO_ENCRYPTION=on`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 6 years ago			```

re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			`> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends`
			`> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to`
			`> the KMS.`

Small corrections and example for auto-encryption (#6982) 6 years ago			To verify auto-encryption, use the `mc` command:

Document vault in prod mode instead of dev mode (#7928) 5 years ago			```
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago			`mc cp test.file myminio/bucket/`
Small corrections and example for auto-encryption (#6982) 6 years ago			`test.file: 5 B / 5 B ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ 100.00% 337 B/s 0s`
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 5 years ago
			`mc stat myminio/bucket/test.file`
Small corrections and example for auto-encryption (#6982) 6 years ago			`Name : test.file`
			`...`
			`Encrypted :`
			`X-Amz-Server-Side-Encryption: AES256`
			```

re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 5 years ago			`## Explore Further`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 6 years ago
Replace Minio refs in docs with MinIO and links (#7494) 6 years ago			- [Use `mc` with MinIO Server](https://docs.min.io/docs/minio-client-quickstart-guide)
			- [Use `aws-cli` with MinIO Server](https://docs.min.io/docs/aws-cli-with-minio)
			- [Use `s3cmd` with MinIO Server](https://docs.min.io/docs/s3cmd-with-minio)
			- [Use `minio-go` SDK with MinIO Server](https://docs.min.io/docs/golang-client-quickstart-guide)
			`- [The MinIO documentation website](https://docs.min.io)`