oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add KMS master key from Docker secret (#7825)

Browse Source
master
Lucas 5 years ago committed by kannappanr
parent 55dd017e62
commit ea66a52ed1
5 changed files with 40 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      Dockerfile
  2. 3
      Dockerfile.dev
  3. 3
      Dockerfile.release
  4. 14
      dockerscripts/docker-entrypoint.sh
  5. 21
      docs/kms/README.md

3
Dockerfile
Unescape View File

@ -16,7 +16,8 @@ FROM alpine:3.9
ENV MINIO_UPDATE off ENV MINIO_UPDATE off
ENV MINIO_ACCESS_KEY_FILE=access_key \ ENV MINIO_ACCESS_KEY_FILE=access_key \
MINIO_SECRET_KEY_FILE=secret_key MINIO_SECRET_KEY_FILE=secret_key \
MINIO_SSE_MASTER_KEY_FILE=sse_master_key
EXPOSE 9000 EXPOSE 9000

3
Dockerfile.dev
Unescape View File

@ -7,7 +7,8 @@ COPY minio /usr/bin/
ENV MINIO_UPDATE off ENV MINIO_UPDATE off
ENV MINIO_ACCESS_KEY_FILE=access_key \ ENV MINIO_ACCESS_KEY_FILE=access_key \
MINIO_SECRET_KEY_FILE=secret_key MINIO_SECRET_KEY_FILE=secret_key \
MINIO_SSE_MASTER_KEY_FILE=sse_master_key
RUN \ RUN \
apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \

3
Dockerfile.release
Unescape View File

@ -18,7 +18,8 @@ COPY dockerscripts/docker-entrypoint.sh /usr/bin/
ENV MINIO_UPDATE off ENV MINIO_UPDATE off
ENV MINIO_ACCESS_KEY_FILE=access_key \ ENV MINIO_ACCESS_KEY_FILE=access_key \
MINIO_SECRET_KEY_FILE=secret_key MINIO_SECRET_KEY_FILE=secret_key \
MINIO_SSE_MASTER_KEY_FILE=sse_master_key
RUN \ RUN \
apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \

14
dockerscripts/docker-entrypoint.sh
Unescape View File

@ -39,6 +39,17 @@ docker_secrets_env() {
fi fi
} }
## Set SSE_MASTER_KEY from docker secrets if provided
docker_sse_encryption_env() {
SSE_MASTER_KEY_FILE="/run/secrets/$MINIO_SSE_MASTER_KEY_FILE"
if [ -f "$SSE_MASTER_KEY_FILE" ]; then
MINIO_SSE_MASTER_KEY="$(cat "$SSE_MASTER_KEY_FILE")"
export MINIO_SSE_MASTER_KEY
fi
}
# su-exec to requested user, if service cannot run exec will fail. # su-exec to requested user, if service cannot run exec will fail.
docker_switch_user() { docker_switch_user() {
if [ -z "${MINIO_USERNAME}" ] || [ -z "${MINIO_GROUPNAME}" ]; then if [ -z "${MINIO_USERNAME}" ] || [ -z "${MINIO_GROUPNAME}" ]; then
@ -55,5 +66,8 @@ docker_switch_user() {
## Set access env from secrets if necessary. ## Set access env from secrets if necessary.
docker_secrets_env docker_secrets_env
## Set sse encryption from secrets if necessary.
docker_sse_encryption_env
## Switch to user if applicable. ## Switch to user if applicable.
docker_switch_user "$@" docker_switch_user "$@"

21
docs/kms/README.md
Unescape View File

@ -12,7 +12,7 @@ MinIO supports two different KMS concepts:
by enabling or disabling the corresponding master keys on demand. by enabling or disabling the corresponding master keys on demand.
- Direct KMS master keys: - Direct KMS master keys:
MinIO can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY`. MinIO can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY` or with a docker secret key.
Direct master keys are useful if the storage backend is not on the same machine as the MinIO server, e.g., Direct master keys are useful if the storage backend is not on the same machine as the MinIO server, e.g.,
if network drives or MinIO gateway is used and an external KMS would cause too much management overhead. if network drives or MinIO gateway is used and an external KMS would cause too much management overhead.
@ -215,6 +215,8 @@ minio gateway s3
#### 2.2 Specify a master key #### 2.2 Specify a master key
**2.2.1 KMS master key from environment variables**
A KMS master key consists of a master-key ID (CMK) and the 256 bit master key encoded as HEX value separated by a `:`. A KMS master key consists of a master-key ID (CMK) and the 256 bit master key encoded as HEX value separated by a `:`.
A KMS master key can be specified directly using: A KMS master key can be specified directly using:
@ -228,6 +230,23 @@ Please use your own master key. A random master key can be generated using e.g.
head -c 32 /dev/urandom | xxd -c 32 -ps head -c 32 /dev/urandom | xxd -c 32 -ps
``` ```
**2.2.2 KMS master key from docker secret**
Alternatively, you may pass a master key as a [Docker secret](https://docs.docker.com/engine/swarm/secrets/).
```bash
echo "my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574" | docker secret create sse_master_key
```
Obviously, do not use this demo key for anything real!
To use another secret name, follow the instructions above and replace sse_master_key with your custom names (e.g. my_sse_master_key).
Then, set the MINIO_SSE_MASTER_KEY_FILE environment variable to your secret name:
```bash
export MINIO_SSE_MASTER_KEY_FILE=my_sse_master_key
```
### 3. Test your setup ### 3. Test your setup
To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests. To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.

Write Preview
Loading…
Cancel
Save