Server Side Encryption with AIStor Key Manager

This procedure provides guidance for enabling Server-Side Encryption (SSE) using AIStor Key Manager as the Key Management Service (KMS).

Enabling SSE on an AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key selected during the setup process.

AIStor requires access to the Key Manager to decrypt the backend and start normally. You can neither disable nor reset encryption of the backend.

Prerequisites

Network Encryption (TLS)

AIStor Key Manager requires TLS connectivity between client and server to protect cryptographic payloads during transmission.

Review the networking tutorials and enable TLS before proceeding with this tutorial.

AIStor Key Manager

This procedure assumes you have an existing Key Manager deployment with a pre-configured identity for use with AIStor. See the Key Manager documentation for guidance on installation, configuration, and retrieval of the necessary values.

Utilities

This procedure uses the base64 and yq utilities. Install both utilities on your local host system.

Procedure

Retrieve and take a backup of the environment file

Copy the contents of /etc/default/minio to a backup file .timestamp.bak before proceeding.

Add Key Manager settings to the environment file

Open the /etc/default/minio file in your preferred text editor and add the following lines:

 # AIStor Key Manager settings

 # Provide a list of hostnames associated to your key manager deployment.
 # Alternatively specify a load balancer managing connections to the key manager hosts.

 MINIO_KMS_SERVER="https://kms-1.example.net,https://kms-2.example.net,https://kms3-example.net"

 # Specify the name for the default encryption key
 # This key is used for backend and default bucket encryption.
 # Consider specifying a unique key name to facilitate easy identification among other stored keys.
 #
 # Do not modify the MINIO_KMS_SSE_KEY value after setup.
 # AIStor requires this key to start successfully.

 MINIO_KMS_SSE_KEY="object-store-primary-default-key"

 # Specify the Key Manager enclave to use

 MINIO_KMS_ENCLAVE="object-store-primary"

 # Specify the AIStor Key Manager API key to use for authenticating operations.
 # The API key must have permission to access and perform operations in the Key Manager enclave

 MINIO_KMS_API_KEY="k1:APIKEYSTRING"

Apply this change to all nodes in the AIStor deployment. The contents of the environment file must match exactly. Use a utility like shasum to ensure checksums match across all files before proceeding.

Restart AIStor

Use the mc admin service restart command to restart all AIStor nodes simultaneously.

Monitor the nodes for successful startup.
Enable bucket default encryption

Use the mc CLI tool to connect to the AIStor deployment. Use the mc encrypt set command to set bucket default encryption.

For example:
```
mc mb object-store/data
mc encrypt set sse-kms primary/data
```
If you want to create a specific key for a bucket, use mc admin kms key create:
```
mc admin kms key create object-store data-bucket-encryption-key
mc mb object-store/data
mc encrypt set sse-kms data-bucket-encryption-key object-store/data
```