Skip to content

MinIO Object Storage

Jump to bottom
Andreas Auernhammer edited this page Apr 8, 2020 · 37 revisions

This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.

Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported key store backend and KMS implemention that meet on your requirements.

  1. KES Server Setup
  2. MinIO Configuration
                           ┌───────┐
                           |  KMS  ├──────┐
                           └───┬───┘      |
                               |          |
╔══════════════════════════════╪════════╗ |
║ ┌───────────┐          ┌─────┴──────┐ ║ |      ┌───────────┐
║ │   MinIO   ├──────────┤ KES Server ├─╫─┴──────┤ Key Store │
║ └───────────┘          └────────────┘ ║        └───────────┘
╚═══════════════════════════════════════╝

KES server setup

First we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup we highly recommend to use a certificate signed by CA (e.g. your internal CA or a public CA like Let's Encrypt)

  1. First, create the TLS private key:

    openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key

  2. Then, create the corresponding TLS X.509 certificate:

    openssl req -new -x509 -days 30 -key server.key -out server.cert \
  -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

  3. Now you have a server.key and server.cert file. Next, we create the root identity:

    kes tool identity new --key="root.key" --cert="root.cert" root

    Note that we create a private key (root.key) and a certificate (root.cert) for TLS client authentication. Again, the certificate is not signed by a CA that is trusted by the KES server. That is not a security issue per se since only clients with public keys/certificates that are known to the server can perform operations based on policies. However, we recommend to use client certificates that were issued by a trusted CA. Then the kes server does not even accept connections from untrusted clients.

    You can compute the root identity via:

    kes tool identity of root.cert

  4. Since we don't want to give the MinIO server root capabilities we also create an new identity for our MinIO server:

    kes tool identity new --key="./minio.key" --cert="minio.cert" MinIO

    You can compute the minio identity via:

    kes tool identity of minio.cert

  5. Now we have defined all entities in our demo setup. Let's wire everything together by creating the config file server-config.toml:

    address = "0.0.0.0:7373"
root    = "" # Your root identity

[tls]
key  = "server.key"
cert = "server.cert"

[policy.prod-app] 
paths      = [ "/v1/key/create/my-minio-key", 
               "/v1/key/generate/my-minio-key" ,
               "/v1/key/decrypt/my-minio-key" ]
identities = [ "" ] # Your MinIO identity

# We use the local filesystem for simplicity.
[keystore.fs]
dir    = "./keys" # Choose a directory for the secret keys

    Please use your own root and minio identity as well as a directory for your secret keys.

  6. Finally we can start a KES server in a new window/tab:

    kes server --config=server-config.toml --mtls-auth=ignore

    --mtls-auth=ignore is required since our root.cert and minio.cert certificates are self-signed

  7. In the previous window/tab we now can connect to the server by:

    export KES_CLIENT_TLS_CERT_FILE=minio.cert
export KES_CLIENT_TLS_KEY_FILE=minio.key
kes key create my-minio-key -k

    -k is required because we use self-signed certificates

    Now, you should see a secret key inside the ./keys directory.

MinIO Configuration

  1. Download and install MinIO. You can either download a static binary or follow the MinIO Quickstart Guide.

  2. Set the following 5 MINIO_KMS_KES environment variables:

    export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
export MINIO_KMS_KES_CERT_FILE=minio.cert
export MINIO_KMS_KES_KEY_FILE=minio.key
export MINIO_KMS_KES_CA_PATH=server.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key

    The MinIO server uses MINIO_KMS_KES_CERT_FILE and MINIO_KMS_KES_KEY_FILE to authenticate to KES - similar to the KES CLI above. Further, we have to set MINIO_KMS_KES_CA_PATH since we use self-signed certificates. If you use certificates issued by an internal CA you may want to set MINIO_KMS_KES_CA_PATH to the root certificate of your internal CA instead.

  3. Start the MinIO server - for example:

    export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
minio server /tmp/minio-1
Clone this wiki locally