Skip to content

MinIO Object Storage

Jump to bottom
Andreas Auernhammer edited this page Dec 13, 2019 · 37 revisions

How encrypt objects with a kes server

This guide shows how to setup a kes server and configure a MinIO server to encrypt objects:

  1. Setting up a kes server
  2. Configure MinIO
  3. Recommendations

Setting up a kes server

First we need to generate a TLS private key and certificate for our kes server. A kes server can only be used with TLS because of authentication & access control.

  1. We create a self-signed certificate for now. For a production setup you MUST use a certificate signed by CA (e.g. your internal CA or a public CA like Let's Encrypt).

    • openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
    • openssl req -new -x509 -days 365 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost"

  2. Now you have a server.key and server.cert file. Next, we create the root identity:
    key tool identity new --key="root.key" --cert="root.cert" root

    Note that we create a private key (root.key) and a certificate (root.cert) for TLS client authentication. Again, the certificate is not signed by a CA that is trusted by the kes server. That is not a security issue per se since only clients with public keys/certificates that are known to the server can perform operations based on policies. However, we recommend to use client certificates that were issued by a trusted CA. Then the kes server does not even accept connections from untrusted clients.

  3. Since we don't want to give our MinIO instance root capabilities we also create a minio-1 identity:
    key tool identity new --key="minio-1.key" --cert="minio-1.cert" minio-1

  4. Next, we create a policy that allows MinIO to derive and decrypt data keys:

    cat > minio-1-policy.toml <<EOF 
paths = ["/v1/key/generate/minio-1-*" , "/v1/key/decrypt/minio-1-*"]
EOF

  5. Now, we can start a key server in a new window/tab:

    kes server \
    --mtls-auth=ignore
    --tls-key=server.key
    --tls-cert=server.cert
    --root=$(kes tool identity of root.cert)

    Note that this will start a kes server without a persistent key store. So every kes we create will be gone once we stop/restart the server, and therefore, all objects we've encrypted so far remain encrypted forever. This command is just for dev / testing purposes only. For a secure and persistent key store take a look at e.g. Hashicorp Vault.

  6. We have to add our minio-1-policy.toml to the server and assign the minio-1 identity to the policy:

    • export KES_CLIENT_TLS_CERT_FILE=root.cert
    • export KES_CLIENT_TLS_KEY_FILE=root.key
    • key policy add -k minio-1 minio-1-policy.toml
    • key identity assign -k $(kes tool identity of minio-1.cert) minio-1

    We can check that the minio-1 identity is correctly assigned to the minio-1 policy via:
    kes identity list -k

  7. Finally we create one master key for MinIO. MinIO will later request an unique key per object from the kes server using the /v1/key/generate/ API call. Observe that the key name has to match the pattern: minio-1-* according to the minio-1-policy.toml:
    kes key create minio-1-key-1 -k

Configure MinIO

First, you need to install MinIO. Therefore, follow the Quickstart guide. Then, connecting MinIO to the kes server is very easy. Just set the following environment variables and start the server:

    • export MINIO_KMS_KES_ENDPOINT=https://localhost:7373
    • export MINIO_KMS_KES_KEY_FILE=minio-1.key
    • export MINIO_KMS_KES_CERT_FILE=minio-1.cert
    • export MINIO_KMS_KES_CA_PATH=server.cert
    • export MINIO_KMS_KES_KEY_NAME=minio-1-key-1
    • export MINIO_ACCESS_KEY=minio
    • export MINIO_SECRET_KEY=minio123
    • `minio server /tmp/minio-1
Clone this wiki locally