Small corrections and example for auto-encryption (#6982)

master
Eco 6 years ago committed by kannappanr
parent 13cb814a0e
commit b6f9b24b30
  1. 48
      docs/kms/README.md

@ -1,28 +1,29 @@
# KMS Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) # KMS Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)
Minio uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3 or auto-encryption Minio uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption
is enabled the Minio server encrypts each object with an unique object key which is protected by a master key is enabled, the Minio server encrypts each object with an unique object key which is protected by a master key
managed by the KMS. Usually many/all object keys are protected by a single master key. managed by the KMS. Usually all object keys are protected by a single master key.
Minio supports two different KMS concepts: Minio supports two different KMS concepts:
- External KMS: - External KMS:
Minio can be configured to use an external KMS i.e. [Hashicorp Vault](https://www.vaultproject.io/). Minio can be configured to use an external KMS i.e. [Hashicorp Vault](https://www.vaultproject.io/).
An external KMS decouples Minio as storage system from key-management. An external KMS can An external KMS decouples Minio as storage system from key-management. An external KMS can
be managed by a dedicated security team and allows to grant/deny access to (certain) objects be managed by a dedicated security team and allows you to grant/deny access to (certain) objects
by en/disabling the corresponding master keys on demand. by enabling or disabling the corresponding master keys on demand.
However, an external KMS causes configuration and management overhead.
- Direct KMS master keys: - Direct KMS master keys:
Minio can also be configured to directly use a master key specified by the ENV. variable `MINIO_SSE_MASTER_KEY`. Minio can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY`.
Direct master keys are useful if the storage backend is not on the same machine as the Minio server - e.g. Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g.,
if network drives or Minio gateway is used - and an external KMS would cause too much management overhead. if network drives or Minio gateway is used and an external KMS would cause too much management overhead.
Note: If the Minio server machine is ever compromised, then the master key must also be Note: If the Minio server machine is ever compromised, then the master key must also be
treated as compromised. treated as compromised.
**Important:** **Important:**
If multiple minio server are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md) If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md)
pointing to the *same* backend - for example the same NAS storage - than the KMS configuration **must** be equal for pointing to the *same* backend - for example the same NAS storage - then the KMS configuration **must** be the same for
all gateways. Otherwise one gateway may not be able to decrypt objects created by another gateway. It's the operators all gateways. Otherwise one gateway may not be able to decrypt objects created by another gateway. It is the operators'
responsibility to ensure that. responsibility to ensure consistency.
## Get started ## Get started
@ -44,6 +45,7 @@ Minio requires the following Vault setup:
**2.1.1 Start Vault server in dev mode** **2.1.1 Start Vault server in dev mode**
In dev mode, Vault server runs in-memory and starts unsealed. Note that running Vault in dev mode is insecure and any data stored in the Vault is lost upon restart. In dev mode, Vault server runs in-memory and starts unsealed. Note that running Vault in dev mode is insecure and any data stored in the Vault is lost upon restart.
``` ```
vault server -dev vault server -dev
``` ```
@ -92,13 +94,13 @@ export MINIO_SSE_VAULT_AUTH_TYPE=approle
minio server ~/export minio server ~/export
``` ```
Optionally set `MINIO_SSE_VAULT_CAPATH` to a directory of PEM-encoded CA cert files to use mTLS for client-server authentication. Optionally, set `MINIO_SSE_VAULT_CAPATH` to a directory of PEM-encoded CA cert files to use mTLS for client-server authentication.
``` ```
export MINIO_SSE_VAULT_CAPATH=/home/user/custom-certs export MINIO_SSE_VAULT_CAPATH=/home/user/custom-certs
``` ```
Optionally set `MINIO_SSE_VAULT_NAMESPACE` if AppRole and Transit Secrets engine have been scoped to Vault Namespace An additional option is to set `MINIO_SSE_VAULT_NAMESPACE` if AppRole and Transit Secrets engine have been scoped to Vault Namespace
``` ```
export MINIO_SSE_VAULT_NAMESPACE=ns1 export MINIO_SSE_VAULT_NAMESPACE=ns1
@ -130,12 +132,24 @@ KMS configuration.
Auto-Encryption is useful especially if the Minio operator wants to ensure that objects are **never** stored in Auto-Encryption is useful especially if the Minio operator wants to ensure that objects are **never** stored in
plaintext - for example if sensitive data is stored on public cloud storage. plaintext - for example if sensitive data is stored on public cloud storage.
To enable auto-encryption either set the ENV. variable: To enable auto-encryption set the environment variable to `on`:
```sh ```sh
export MINIO_SSE_AUTO_ENCRYPTION=on export MINIO_SSE_AUTO_ENCRYPTION=on
``` ```
To verify auto-encryption, use the `mc` command:
```sh
mc cp test.file myminio/crypt/
test.file: 5 B / 5 B ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ 100.00% 337 B/s 0s
mc stat myminio/crypt/test.file
Name : test.file
...
Encrypted :
X-Amz-Server-Side-Encryption: AES256
```
Note: Auto-Encryption only affects non-SSE-C requests since objects uploaded using SSE-C are already encrypted Note: Auto-Encryption only affects non-SSE-C requests since objects uploaded using SSE-C are already encrypted
and S3 only allows either SSE-S3 or SSE-C but not both for the same object. and S3 only allows either SSE-S3 or SSE-C but not both for the same object.

Loading…
Cancel
Save