Server Side Encryption with KES

This page explains how to deploy AIStor with KES for Server Side Encryption. For instructions on running KES, see the KES docs.

Enabling SSE on an AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key.

AIStor requires access to KES and the external KMS to decrypt the backend and start normally. The KMS must maintain access to the MINIO_KMS_KES_KEY_NAME. You cannot disable or reset encryption of the backend.

Prerequisites

The AIStor Kubernetes Operator deployed on your Kubernetes cluster.
Object store services and pods accessible from your local host, to support management with the AIStor client (mc).

For internal hosts, use the service DNS name. For external hosts, specify the hostname of the service exposed by Ingress, Load Balancer, or other Kubernetes network control component.
An existing KMS installation accessible from your cluster.

For deployments on the same cluster as your object store, you can use Kubernetes Service names to connect the object store with the KMS service.

For external deployments, you must make sure the cluster supports communications between Kubernetes services and pods and the external network. This may require configuring or deploying additional Kubernetes network components or enabling access to the public internet.

Refer to the installation instructions for your supported KMS target to deploy KES and connect it to a KMS solution:

AWS Secrets Manager
Azure KeyVault
Entrust KeyControl
Fortanix SDKMS
Google Cloud Secret Manager
HashiCorp Vault
[Thales CipherTrust Manager (formerly Gemalto KeySecure)](https://docs.min.io/enterprise/aistor-key-manager/legacy-key-management/installation/

Procedure

Generate a new encryption key.

If needed, unseal the backing vault instance before you create a new key. See the documentation for your KMS solution.

Run the mc admin kms key create command against the object store:
```
# Replace my-new-key with the name of the key you want to use for SSE-KMS
mc admin kms key create k8s encrypted-bucket-key
```
Enable SSE-KMS for a bucket

You can use either the console or the AIStor client to enable bucket-default SSE-KMS with the generated key:
AIStor console
1. In the AIStor console, create a new bucket. Or, select an existing bucket.
2. In the left-hand menu, select Encryption, provide the required information, and select Save.
3. Add a file to the bucket, and confirm the associated encryption metadata.
`mc`
Create a new alias for the AIStor Server. You can then run mc encrypt set to enable SSE-KMS encryption for a bucket:
```
mc alias set k8s https://minio.minio-tenant-1.svc.cluster-domain.example:443 ROOTUSER ROOTPASSWORD

mc mb k8s/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucket
```
For clients external to the Kubernetes cluster, specify the hostname of the service exposed by Ingress, Load Balancer, or similar Kubernetes network control component.

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.