# KMS Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) Minio uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption is enabled, the Minio server encrypts each object with an unique object key which is protected by a master key managed by the KMS. Usually all object keys are protected by a single master key. Minio supports two different KMS concepts: - External KMS: Minio can be configured to use an external KMS i.e. [Hashicorp Vault](https://www.vaultproject.io/). An external KMS decouples Minio as storage system from key-management. An external KMS can be managed by a dedicated security team and allows you to grant/deny access to (certain) objects by enabling or disabling the corresponding master keys on demand. - Direct KMS master keys: Minio can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY`. Direct master keys are useful if the storage backend is not on the same machine as the Minio server, e.g., if network drives or Minio gateway is used and an external KMS would cause too much management overhead. Note: If the Minio server machine is ever compromised, then the master key must also be treated as compromised. **Important:** If multiple Minio servers are configured as [gateways](https://github.com/minio/minio/blob/master/docs/gateway/README.md) pointing to the *same* backend - for example the same NAS storage - then the KMS configuration **must** be the same for all gateways. Otherwise one gateway may not be able to decrypt objects created by another gateway. It is the operators' responsibility to ensure consistency. ## Get started ### 1. Prerequisites Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide). ### 2. Setup a KMS Either use Hashicorp Vault as external KMS or specify a master key directly depending on your use case. #### 2.1 Setup Hashicorp Vault Here is a sample quick start for configuring vault with a transit backend and Approle with correct policy Minio requires the following Vault setup: - The [transit backend](https://www.vaultproject.io/api/secret/transit/index.html) configured with a named encryption key-ring - [AppRole](https://www.vaultproject.io/docs/auth/approle.html) based authentication with read/update policy for transit backend. In particular, read and update policy are required for the [Generate Data Key](https://www.vaultproject.io/api/secret/transit/index.html#generate-data-key) endpoint and [Decrypt Data](https://www.vaultproject.io/api/secret/transit/index.html#decrypt-data) endpoint. **2.1.1 Start Vault server in dev mode** In dev mode, Vault server runs in-memory and starts unsealed. Note that running Vault in dev mode is insecure and any data stored in the Vault is lost upon restart. ``` vault server -dev ``` **2.1.2 Set up vault transit backend and create an app role** ``` cat > vaultpolicy.hcl <