Server Side Encryption with MinIO KMS

This procedure provides guidance for enabling Server-Side Encryption (SSE) using MinIO KMS as the Key Management Service (KMS).

Enabling SSE on an AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key selected during the setup process.

AIStor requires access to MinIO KMS to decrypt the backend and start normally. You can neither disable nor reset encryption of the backend.

Prerequisites

Network encryption (TLS)

MinIO KMS requires TLS connectivity between client and server to protect cryptographic payloads during transmission.

Review the networking tutorials and enable TLS before proceeding with this tutorial.

MinIO KMS

This procedure assumes you have an existing MinIO KMS deployment with a pre-configured identity for use with AIStor. See the MinIO KMS documentation for guidance on installation, configuration, and retrieval of the necessary values.

The MinIO KMS installation tutorial includes steps to create the necessary API keys and resources for configuring an object store deployment for SSE encryption. You must complete those steps before starting this procedure.

Utilities

This procedure uses the base64 and yq utilities. Install both utilities on your local host system.

Procedure

  1. Retrieve and take a backup of the environment file

    Copy the contents of /etc/default/minio to a backup file .timestamp.bak before proceeding.

  2. Add MinIO KMS settings to the environment file

    Open the /etc/default/minio file in your preferred text editor and add the following lines:

     # MinIO KMS settings

 # Provide a list of hostnames associated to your MinIO KMS deployment.
 # Alternatively specify a load balancer managing connections to the MinIO KMS hosts.

 MINIO_KMS_SERVER="https://kms-1.example.net,https://kms-2.example.net,https://kms3-example.net"

 # Specify the name for the default encryption key
 # This key is used for backend and default bucket encryption.
 # Consider specifying a unique key name to facilitate easy identification among other stored keys.
 #
 # Do not modify the MINIO_KMS_SSE_KEY value after setup.
 # AIStor requires this key to start successfully.

 MINIO_KMS_SSE_KEY="object-store-primary-default-key"

 # Specify the MinIO KMS enclave to use

 MINIO_KMS_ENCLAVE="object-store-primary"

 # Specify the MinIO KMS API key to use for authenticating operations.
 # The API key must have permission to access and perform operations in the MinIO KMS enclave

 MINIO_KMS_API_KEY="k1:APIKEYSTRING"

    Apply this change to all nodes in the AIStor deployment. The contents of the environment file must match exactly. Use a utility like shasum to ensure checksums match across all files before proceeding.

  3. Restart AIStor

    Use the mc admin service restart command to restart all AIStor nodes simultaneously.

    Monitor the nodes for successful startup.

  4. Enable bucket default encryption

    Use the mc CLI tool to connect to the AIStor deployment. Use the mc encrypt set command to set bucket default encryption.

    For example:

    mc mb object-store/data
mc encrypt set sse-kms primary/data

    If you want to create a specific key for a bucket, use mc admin kms key create:

    mc admin kms key create object-store data-bucket-encryption-key
mc mb object-store/data
mc encrypt set sse-kms data-bucket-encryption-key object-store/data