add howto generate a master key and add master key disclaimer (#6992)

This commit adds a section to the master key documentation
describing how to generate a random 256 bit master key.

Further this commit adds a warning that master keys are not
recommended for production systems because it's (currently)
not possible to replace a master key (e.g. in case of compromise).

docs/kms/README.md

@@ -16,8 +16,8 @@ Minio supports two different KMS concepts:
    Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g.,
    if network drives or Minio gateway is used and an external KMS would cause too much management overhead.  
    
-   Note: If the Minio server machine is ever compromised, then the master key must also be 
+   Note: KMS master keys are mainly for testing purposes. It's not recommended to use them for production deployments.
-   treated as compromised.
+   Further if the Minio server machine is ever compromised, then the master key must also be treated as compromised.
 
 **Important:**  
 If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md)
@@ -119,6 +119,12 @@ A KMS master key can be specified directly using:
 export MINIO_SSE_MASTER_KEY=my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574
 ```
 
+Please use your own master key. A random master key can be generated using e.g. this command on Linux/Mac/BSD* systems:
+
+```sh
+head -c 32 /dev/urandom | xxd -c 32 -ps
+```
+
 ### 3. Test your setup
 
 To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.