Skip to content

MinIO Object Storage

Jump to bottom
Andreas Auernhammer edited this page May 13, 2021 · 37 revisions

This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.

Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported KMS implementation that meets your requirements.

  1. KES Server Setup
  2. MinIO Configuration
╔═══════════════════════════════════════╗ 
║ ┌───────────┐          ┌────────────┐ ║        ┌─────────┐
║ │   MinIO   ├──────────┤ KES Server ├─╫────────┤   KMS   │
║ └───────────┘          └────────────┘ ║        └─────────┘
╚═══════════════════════════════════════╝

KES Server setup

First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup we highly recommend to use a certificate signed by CA (e.g. your internal CA or a public CA like Let's Encrypt)

1. Generate a TLS private key and certificate for the KES server.

The following command will generate a new TLS private key server.key and a X.509 certificate server.cert that is self-signed and issued for the IP 127.0.0.1 and DNS name localhost (as SAN). You may want to customize the command to match your setup.

kes tool identity new --server --key server.key --cert server.cert --ip "127.0.0.1" --dns localhost

Any other tooling for X.509 certificate generation works as well. For example, you could use openssl:

$ openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key

$ openssl req -new -x509 -days 30 -key server.key -out server.cert \
   -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

2. Then, create private key and certificate for MinIO:

kes tool identity new --key=minio.key --cert=minio.cert MinIO

You can compute the minio identity via:

kes tool identity of minio.cert

3. Now we have defined all entities in our demo setup. Let's wire everything together by creating the

config file server-config.yml:

address: 0.0.0.0:7373
root:    disabled  # We disable the root identity since we don't need it in this guide 

tls:
  key : server.key
  cert: server.cert

policy:
  my-app:
    paths:
    - /v1/key/create/my-minio-key
    - /v1/key/generate/my-minio-key
    - /v1/key/decrypt/my-minio-key
    identities:
    - ${MINIO_IDENTITY}

keystore:
  fs:
    path: ./keys # Choose a location for your secret keys

Please use your own root and MinIO identity.

4. Finally we can start a KES server in a new window/tab:

export MINIO_IDENTITY=$(kes tool identity of minio.cert)

kes server --config=server-config.yml --auth=off

--auth=off is required since our root.cert and minio.cert certificates are self-signed

5. In the previous window/tab we now can connect to the server by:

export KES_CLIENT_CERT=minio.cert
export KES_CLIENT_KEY=minio.key
kes key create -k my-minio-key

-k is required because we use self-signed certificates

Now, you should see a secret key inside the ./keys directory.

MinIO Configuration

1. Download and install MinIO:

You can either download a static binary or follow the MinIO Quickstart Guide.

2. Set the following 5 MINIO_KMS_KES environment variables:

export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
export MINIO_KMS_KES_CERT_FILE=minio.cert
export MINIO_KMS_KES_KEY_FILE=minio.key
export MINIO_KMS_KES_CA_PATH=server.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key

The MinIO server uses MINIO_KMS_KES_CERT_FILE and MINIO_KMS_KES_KEY_FILE to authenticate to KES - similar to the KES CLI above. Further, we have to set MINIO_KMS_KES_CA_PATH since we use self-signed certificates. If you use certificates issued by an internal CA you may want to set MINIO_KMS_KES_CA_PATH to the root certificate of your internal CA instead.

3. Start the MinIO server - for example:

export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
minio server /data
Clone this wiki locally