This commit updates the KMS guide to reflect the
latest changes in KES. Based on internal design
meetings we made some adjustments to the overall
KES configuration.
This commit ensures that the KMS guide contains
a working KES demo-setup with Vault.
└─┤ ┌──────────┴─┬─────┬──────┴─┤ KES Server ├─────────────────┤
+-------+ | +-----+ | +-------+
└─┤ MinIO ├─────╯ └────────────┘ ┌────┴────┐
| MinIO +----+ +----+ MinIO |
└────────────┘ │ KMS │
+-------+ +-------+
└─────────┘
```
```
MinIO supports commonly-used KMS implementations, like [AWS-KMS](https://aws.amazon.com/kms/) or
[Hashicorp Vault](https://www.vaultproject.io/) via our [KES project](https://github.com/minio/kes/wiki).
KES makes it possible to scale your KMS horizontally with your storage infrastructure (MinIO clusters).
Therefore, it wraps around the KMS implementation like this:
```
+-------+ +-------+
| MinIO | | MinIO |
+---+---+ +---+---+
| |
+----+-------------------------+----+---- KMS
| | | |
| +--+--+ +--+--+ |
| | KES +--+ +--+ KES | |
| +-----+ | +-------+ | +-----+ |
| +--+ Vault +--+ |
| +-----+ | +-------+ | +-----+ |
| | KES +--+ +--+ KES | |
| +--+--+ +--+--+ |
| | | |
+----+-------------------------+----+---- KMS
| |
+---+---+ +---+---+
| MinIO | | MinIO |
+-------+ +-------+
```
Observe that all MinIO clusters only have a connection to "their own" KES instance and no direct access to Vault (as one possible KMS implementation).
Observe that all MinIO clusters only have a connection to "their own" KES instance and no direct access to Vault (as one possible KMS implementation).
Each KES instance will handle all encrypton/decryption requests made by "its" MinIO cluster such that the central KMS implementation does not have to handle
Each KES instance will handle all encrypton/decryption requests made by "its" MinIO cluster such that the central KMS implementation does not have to handle
a lot of traffic. Instead, each KES instance will use the central KMS implementation as secure key store and fetches the required master keys from it.
a lot of traffic. Instead, each KES instance will use the central KMS implementation as secure key store and fetches the required master keys from it.
@ -77,7 +54,7 @@ This guide shows how to set up three different servers on the same machine:
### 1 Prerequisites
### 1 Prerequisites
Install MinIO, KES and Vault. For MinIO take a look at the [MinIO quickstart guide](https://docs.min.io/docs/minio-quickstart-guide).
Install MinIO, KES and Vault. For MinIO take a look at the [MinIO quickstart guide](https://docs.min.io/docs/minio-quickstart-guide).
Then download the [latest KES binary](https://github.com/minio/kes/releases/latest/) and the [latest Vault binary](https://github.com/hashicorp/vault/releases/latest/)
Then [install KES](https://github.com/minio/kes#install) and download the [latest Vault binary](https://www.vaultproject.io/downloads)
for your OS and platform.
for your OS and platform.
### 2 Generate TLS certificates
### 2 Generate TLS certificates
@ -88,30 +65,44 @@ TLS connections between MinIO, KES and Vault. Therefore, we need to generate at
#### 2.1 Generate a TLS certificate for Vault
#### 2.1 Generate a TLS certificate for Vault
To generate a new private key for Vault's certificate run the following openssl command:
To generate a new private key for Vault's certificate run the following openssl command:
> backend - like [etcd](https://www.vaultproject.io/docs/configuration/storage/etcd/) or [consul](https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul).
> backend - like [etcd](https://www.vaultproject.io/docs/configuration/storage/etcd/) or [consul](https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul).
Finally, start the Vault server via:
Finally, start the Vault server via:
```
```sh
vault server -config vault-config.json
vault server -config vault-config.json
```
```
#### 3.1 Initialize and unseal Vault
#### 3.1 Initialize and unseal Vault
In a separate terminal window set the `VAULT_ADDR` env. variable to your Vault server:
In a separate terminal window set the `VAULT_ADDR` env. variable to your Vault server:
```
```sh
export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_ADDR='https://127.0.0.1:8200'
```
```
@ -172,7 +163,7 @@ certificate. When Vault serves a TLS certificate that has been issued by a CA th
by your machine - e.g. Let's Encrypt - then you don't need to run this command.
by your machine - e.g. Let's Encrypt - then you don't need to run this command.
Then initialize Vault via:
Then initialize Vault via:
```
```sh
vault operator init
vault operator init
```
```
@ -203,12 +194,12 @@ existing unseal keys shares. See "vault operator rekey" for more information.
```
```
Now, set the env. variable `VAULT_TOKEN` to the root token printed by the command before:
Now, set the env. variable `VAULT_TOKEN` to the root token printed by the command before:
```
```sh
export VAULT_TOKEN=s.zaU4Gbcu0Wh46uj2V3VuUde0
export VAULT_TOKEN=s.zaU4Gbcu0Wh46uj2V3VuUde0
```
```
Then use any of the previously generated key shares to unseal Vault.
Then use any of the previously generated key shares to unseal Vault.