Skip to content

MinIO Object Storage

Jump to bottom
Harshavardhana edited this page Jan 19, 2021 · 37 revisions

This guide shows how to setup a KES server and then configure a MinIO server as KES client for object encryption.

Here, we focus on a simple KES server setup. Therefore, we use the local filesystem as key store and omit the KMS integration. However, you can of course choose any supported KMS implementation that meets your requirements.

  1. KES Server Setup
  2. MinIO Configuration
╔═══════════════════════════════════════╗ 
║ ┌───────────┐          ┌────────────┐ ║        ┌─────────┐
║ │   MinIO   ├──────────┤ KES Server ├─╫────────┤   KMS   │
║ └───────────┘          └────────────┘ ║        └─────────┘
╚═══════════════════════════════════════╝

KES Server setup

First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup we highly recommend to use a certificate signed by CA (e.g. your internal CA or a public CA like Let's Encrypt)

1. First, create the TLS private key:

openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key

2. Then, create the corresponding TLS X.509 certificate:

openssl req -new -x509 -days 30 -key server.key -out server.cert \
  -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

You can ignore output messages like: req: No value provided for Subject Attribute C, skipped. OpenSSL just tells you that you haven't specified a country, state, a.s.o for the certificate subject. Since we generate a self-signed certificate we don't have to worry about this.

3. Then, create private key and certificate for MinIO:

kes tool identity new --key=minio.key --cert=minio.cert MinIO

You can compute the minio identity via:

kes tool identity of minio.cert

4. Now we have defined all entities in our demo setup. Let's wire everything together by creating the

config file server-config.yml:

address: 0.0.0.0:7373
root:    disabled  # We disable the root identity since we don't need it in this guide 

tls:
  key : server.key
  cert: server.cert

policy:
  my-app:
    paths:
    - /v1/key/create/my-minio-key
    - /v1/key/generate/my-minio-key
    - /v1/key/decrypt/my-minio-key
    identities:
    - ${MINIO_IDENTITY}

keys:
  fs:
    path: ./keys # Choose a location for your secret keys

Please use your own root and MinIO identity.

5. Finally we can start a KES server in a new window/tab:

export MINIO_IDENTITY=$(kes tool identity of minio.cert)

kes server --config=server-config.yml --auth=off

--auth=off is required since our root.cert and minio.cert certificates are self-signed

6. In the previous window/tab we now can connect to the server by:

export KES_CLIENT_CERT=minio.cert
export KES_CLIENT_KEY=minio.key
kes key create -k my-minio-key

-k is required because we use self-signed certificates

Now, you should see a secret key inside the ./keys directory.

MinIO Configuration

1. Download and install MinIO:

You can either download a static binary or follow the MinIO Quickstart Guide.

2. Set the following 5 MINIO_KMS_KES environment variables:

 ```sh
 export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
 export MINIO_KMS_KES_CERT_FILE=minio.cert
 export MINIO_KMS_KES_KEY_FILE=minio.key
 export MINIO_KMS_KES_CA_PATH=server.cert
 export MINIO_KMS_KES_KEY_NAME=my-minio-key
 ```
 > The MinIO server uses `MINIO_KMS_KES_CERT_FILE` and `MINIO_KMS_KES_KEY_FILE` to
 > authenticate to KES - similar to the KES CLI above.
 > Further, we have to set `MINIO_KMS_KES_CA_PATH` since we use self-signed certificates.
 > If you use certificates issued by an internal CA you may want to set `MINIO_KMS_KES_CA_PATH`
 > to the root certificate of your internal CA instead.

3. Start the MinIO server - for example:

 ```sh
 export MINIO_ACCESS_KEY=minio
 export MINIO_SECRET_KEY=minio123
 minio server /data
 ```
Clone this wiki locally