Skip to content

MinIO Object Storage

Jump to bottom
Harshavardhana edited this page Mar 19, 2024 · 37 revisions

This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.

╔═══════════════════════════════════════╗ 
║ ┌───────────┐          ┌────────────┐ ║        ┌─────────┐
║ │   MinIO   ├──────────┤ KES Server ├─╫────────┤   KMS   │
║ └───────────┘          └────────────┘ ║        └─────────┘
╚═══════════════════════════════════════╝

Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported KMS implementation that meets your requirements.

KES Server Setup

1. Generate KES Server Private Key & Certificate

First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity.

The following command generates a new TLS private key (private.key) and a self-signed X.509 certificate (public.crt) issued for the IP 127.0.0.1 and DNS name localhost:

$ kes identity new --ip "127.0.0.1" --cert=public.crt --key=private.key localhost

  Private key:  private.key
  Certificate:  public.crt
  Identity:     2e897f99a779cf5dd147e58de0fe55a494f546f4dcae8bc9e5426d2b5cd35680

If you already have a TLS private key & certificate - e.g. from a WebPKI or internal CA - you can use them instead. Remember to adjust the tls config section later on.

2. Generate MinIO Credentials

MinIO needs some credentials to access the KES server. The following command generates a new TLS private/public key pair:

$ kes identity new --key=client.key --cert=client.crt MinIO

  Private key:  client.key
  Certificate:  client.crt
  Identity:     02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b

The identity 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b is an unique fingerprint of the public key in client.crt and you can re-compute it anytime:

$ kes identity of client.crt

  Identity:  02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b
3. Configure KES Server

Next, we can create the KES server configuration file: config.yml. Please, make sure that the identity in the policy section matches your client.crt identity.

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

admin:
  identity: disabled  # We disable the admin identity since we don't need it in this guide 
   
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
   
policy:
  my-app: 
    allow:
    - /v1/key/create/minio-*
    - /v1/key/generate/minio-*
    - /v1/key/decrypt/minio-*
    identities:
    - 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # Use the identity of your client.crt
   
keystore:
  fs:
    path: ./keys # Choose a directory for the secret keys
4. Start KES Server

Now, we can start a KES server instance:

$ kes server --config config.yml --auth off

On linux, KES can use the mlock syscall to prevent the OS from writing in-memory data to disk (swapping). This prevents leaking senstive data accidentality. The following command allows KES to use the mlock syscall without running with root privileges:

$ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which kes))

Then, we can start a KES server instance with memory protection:

$ kes server --config config.yml --auth off --mlock

MinIO Server Setup

1. Install MinIO

You can either download a static binary or follow the MinIO Quickstart Guide.

2. Set MINIO_KMS_KES_ENDPOINT

MinIO needs to know to which KES server it should talk to:

export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
3. Set MinIO Client Credentials

Further, MinIO needs some access credentials to talk to a KES server. Either an API key:

export MINIO_KMS_KES_API_KEY=<your-key>

or a TLS private key and client certificate:

export MINIO_KMS_KES_CERT_FILE=client.crt
export MINIO_KMS_KES_KEY_FILE=client.key
4. Set MinIO Default Key

MinIO needs a default key that it will use if its S3 client does not specify an encryption key.

export MINIO_KMS_KES_KEY_NAME=minio-default-key

MinIO will create this key automatically if it doesn't exist.

5. Trust the KES Server Certificate

When using self-signed certificates, MinIO cannot verify the the KES server certificate. Therefore, we establish the trust relationship manually.

export MINIO_KMS_KES_CAPATH=public.crt

Here, public.crt is the public certificate of the KES server.
This step is optional if the KES server uses a certificate issued by a trusted CA.

6. Start MinIO Server

First, set the MinIO root credentials:

export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123

Then, start MinIO:

minio server /data

Encrypt Bucket

You can enable server-side encryption on a specific bucket using the PutBucketEncryption S3 API. This can be done quite easily with mc.

1. Create Key

First, create a new key for your bucket. For example:

mc admin kms key create <alias> minio-my-bucket

Use your MinIO server alias.

2. Configure Bucket

Then, add a server-side encryption configuration to your bucket. For example:

mc encrypt set sse-kms minio-my-bucket <alias>/my-bucket

Use your MinIO server alias.

References

Clone this wiki locally