Skip to content

MinIO Object Storage

Jump to bottom
Andreas Auernhammer edited this page Oct 27, 2020 · 37 revisions

This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.

Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported KMS implementation that meets your requirements.

  1. KES Server Setup
  2. MinIO Configuration
╔═══════════════════════════════════════╗ 
║ ┌───────────┐          ┌────────────┐ ║        ┌─────────┐
║ │   MinIO   ├──────────┤ KES Server ├─╫────────┤   KMS   │
║ └───────────┘          └────────────┘ ║        └─────────┘
╚═══════════════════════════════════════╝

KES Server setup

First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup we highly recommend to use a certificate signed by CA (e.g. your internal CA or a public CA like Let's Encrypt)

  1. First, create the TLS private key:

    openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key

  2. Then, create the corresponding TLS X.509 certificate:

    openssl req -new -x509 -days 30 -key server.key -out server.cert \
  -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

    You can ignore output messages like: req: No value provided for Subject Attribute C, skipped. OpenSSL just tells you that you haven't specified a country, state, a.s.o for the certificate subject. Since we generate a self-signed certificate we don't have to worry about this.

  3. Then, create private key and certificate for MinIO:

    kes tool identity new --key=minio.key --cert=minio.cert MinIO

    You can compute the minio identity via:

    kes tool identity of minio.cert

  4. Now we have defined all entities in our demo setup. Let's wire everything together by creating the config file server-config.yml:

    address: 0.0.0.0:7373
root:    disabled  # We disable the root identity since we don't need it in this guide 

tls:
  key : server.key
  cert: server.cert

policy:
  my-app:
    paths:
    - /v1/key/create/my-minio-key
    - /v1/key/generate/my-minio-key
    - /v1/key/decrypt/my-minio-key
    identities:
    - ${MINIO_IDENTITY}

keys:
  fs:
    path: ./keys # Choose a location for your secret keys

    Please use your own root and minio identity.

  5. Finally we can start a KES server in a new window/tab:

    export MINIO_IDENTITY=$(kes tool identity of minio.cert)

kes server --config=server-config.yaml --auth=off

    --auth=off is required since our root.cert and minio.cert certificates are self-signed

  6. In the previous window/tab we now can connect to the server by:

    export KES_CLIENT_CERT=minio.cert
export KES_CLIENT_KEY=minio.key
kes key create -k my-minio-key

    -k is required because we use self-signed certificates

    Now, you should see a secret key inside the ./keys directory.

MinIO Configuration

  1. Download and install MinIO. You can either download a static binary or follow the MinIO Quickstart Guide.

  2. Set the following 5 MINIO_KMS_KES environment variables:

    export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
export MINIO_KMS_KES_CERT_FILE=minio.cert
export MINIO_KMS_KES_KEY_FILE=minio.key
export MINIO_KMS_KES_CA_PATH=server.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key

    The MinIO server uses MINIO_KMS_KES_CERT_FILE and MINIO_KMS_KES_KEY_FILE to authenticate to KES - similar to the KES CLI above. Further, we have to set MINIO_KMS_KES_CA_PATH since we use self-signed certificates. If you use certificates issued by an internal CA you may want to set MINIO_KMS_KES_CA_PATH to the root certificate of your internal CA instead.

  3. Start the MinIO server - for example:

    export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
minio server /tmp/1
Clone this wiki locally