Server Side Encryption with AIStor Key Manager

This procedure provides guidance for enabling Server-Side Encryption (SSE) using AIStor Key Manager as the Key Management Service (KMS).

Enabling SSE on an AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key selected during the setup process.

AIStor requires access to the Key Manager to decrypt the backend and start normally. You can neither disable nor reset encryption of the backend.

Prerequisites

Network Encryption (TLS)

AIStor Key Manager requires TLS connectivity between client and server to protect cryptographic payloads during transmission.

The AIStor Operator by default deploys resources with TLS automatically configured. If you manually disabled TLS in the cluster, review the networking tutorial for guidance on re-enabling TLS.

AIStor Key Manager

This procedure assumes you have an existing Key Manager deployment with a pre-configured identity for use with AIStor. See the Key Manager documentation for guidance on installation, configuration, and retrieval of the necessary values.

Procedure

This procedure uses Helm and assumes an existing AIStor deployment

  1. Retrieve the current Chart values

    Use the helm get values command to retrieve the current Chart values.yaml:

    helm get values OBJECT-STORE-NAME -n OBJECT-STORE-NAMESPACE -o yaml > aistor-object-store-name-values.yaml

    Create a backup of the file with the -bak.yaml suffix for records. If you use Git or a similar version control technology, you can use that system for retrieving the values file instead.

    Review the value of objectStore.configuration.name. This name points to the secret containing the object store configuration file in the namespace and is required in the next step. If you did not override this value, it defaults to myminio-env-configuration.

  2. Retrieve the configuration secret.

    Create a local copy of the secret using the kubectl get command:

    kubectl get secret/myminio-env-configuration -n OBJECT-STORE-NAMESPACE -o yaml > myminio-env-configuration.yaml

    Replace the myminio-env-configuration with the value of objectStore.configuration.name from your Helm chart.

  3. Retrieve the configuration

    The data.config.env field in the secret contains the base64-encoded configuration. The following command uses the yq and base64 utilites to decode and save the file:

    yq -r '.data."config.env"' myminio-env-configuration.yaml | base64 -d > myminio-env-configuration

    The file contains any environment variables previously set or configured for the object store.

  4. Add Key Manager settings to the environment file

    Open the myminio-env-configuration file in your preferred text editor and add the following lines:

     # AIStor Key Manager settings

 # Provide the hostname of the Key Manager service in your Kubernetes cluster.

 MINIO_KMS_SERVER="https://kms-1.example.net,https://kms-2.example.net,https://kms3-example.net"

 # Specify the name for the default encryption key
 # This key is used for backend and default bucket encryption.
 # Consider specifying a unique key name to facilitate easy identification among other stored keys.
 #
 # Do not modify the MINIO_KMS_SSE_KEY value after setup.
 # AIStor requires this key to start successfully.

 MINIO_KMS_SSE_KEY="object-store-primary-default-key"

 # Specify the Key Manager enclave to use

 MINIO_KMS_ENCLAVE="object-store-primary"

 # Specify the AIStor Key Manager API key to use for authenticating operations.
 # The API key must have permission to access and perform operations in the Key Manager enclave

 MINIO_KMS_API_KEY="k1:APIKEYSTRING"

  5. Update the secret YAML

    Re-encode the updated environment file using base64 and replace the data.config.env value.

  6. Re-apply the secret

    Use kubectl apply to apply the secret and update the configuration setting in the namespace.

  7. Restart AIStor

    Delete all AIStor statefulsets to update the configurations for all pods simultaneously. Use kubectl delete sts/...

  8. Enable bucket default encryption

    Use the mc CLI tool to connect to the AIStor deployment. Use the mc encrypt set command to set bucket default encryption.

    For example:

    mc mb object-store-k8s/data
mc encrypt set sse-kms primary/data

    If you want to create a specific key for a bucket, use mc admin kms key create:

    mc admin kms key create object-store-k8s data-bucket-encryption-key
mc mb object-store-k8s/data
mc encrypt set sse-kms data-bucket-encryption-key object-store-k8s/data
All rights reserved 2024-Present, MinIO, Inc.