Server Side Encryption with KES

This page explains how to deploy MinIO AIStor with KES for Server Side Encryption. For instructions on running KES, see the KES docs.

Broadly, the required steps are:

Create a new external key (EK) for server-side encryption (SSE).
Create or modify an MinIO AIStor deployment to support SSE with KES.
Configure automatic bucket-default SSE.

Enabling SSE on an MinIO AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO AIStor requires access to KES and the external KMS to decrypt the backend and start normally. The KMS must maintain access to the MINIO_KMS_KES_KEY_NAME. Once enabled, you cannot disable or reset encryption of the backend.

Prerequisites

MinIO AIStor access with mc configured with an alias
An existing KES installation connected to a supported KMS installation, both accessible from the local host. Refer to the installation instructions for your supported KMS target to deploy KES and connect it to a KMS solution:
AWS Secrets Manager
Azure KeyVault
Entrust KeyControl
Fortanix SDKMS
Google Cloud Secret Manager
HashiCorp Vault
Thales CipherTrust Manager (formerly Gemalto KeySecure)

Procedure

Generate a KES API key for MinIO AIStor

Run the kes identity new command to generate a new API key:
```
kes identity new
```
The output includes both the API key for MinIO AIStor and the identity hash for the KES Policy configuration.
Edit the MinIO AIStor environment file

Create or modify the environment file for all hosts in the target deployment to include the following environment variables:
```
# Add these environment variables to the existing environment file

MINIO_KMS_KES_ENDPOINT=https://HOSTNAME:7373
MINIO_KMS_KES_API_KEY="kes:v1:ACTpAsNoaGf2Ow9o5gU8OmcaG6Af/VcZ1Mt7ysuKoBjv"

# Allows validation of the KES Server Certificate (Self-Signed or Third-Party CA)
# Change this path to the location of the KES CA Path
MINIO_KMS_KES_CAPATH=/opt/kes/certs/kes-server.cert

# Sets the default KMS key for the backend and SSE-KMS/SSE-S3 Operations)
MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
```
Replace HOSTNAME with the IP address or hostname of the KES server. If the MinIO AIStor host machines cannot resolve or reach the specified HOSTNAME, the deployment may return errors or fail to start.
- If using a single KES server host, specify the IP or hostname of the host
- If using multiple KES server hosts, specify a comma-separated list of IPs or hostnames of each host
MinIO AIStor uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:
- Encrypting the MinIO AIStor backend (IAM, configuration, etc.)
- Encrypting objects using SSE-KMS if the request does not include a specific key.
- Encrypting objects using SSE-S3.
MinIO AIStor defaults to expecting this file at /etc/default/minio. If you modified your deployment to use a different location for the environment file, modify the file at that location.
Start MinIO AIStor

You can use the mc admin service restart command to restart MinIO AIStor:
```
mc admin service restart ALIAS
```
Generate a New Encryption Key

MinIO AIStor requires that the key exist on the KMS before performing operations with the key.

Run kes key create or mc admin kms key create to add a new key.

The following command runs mc admin kms key create to add a new External Key (EK) stored on the KMS server for use with encrypting the MinIO AIStor backend.
```
mc admin kms key create ALIAS KEYNAME
```
Enable SSE-KMS for a Bucket

You can use either the console or the AIStor Client CLI to enable bucket-default SSE-KMS with the generated key:
MinIO AIStor console
1. In the MinIO AIStor console, create a new bucket. Or, select an existing bucket.
2. In the left-hand menu, select Encryption, provide the required information, and select Save.
3. Add a file to the bucket, and confirm the associated encryption metadata.
`mc`
The following commands:
- Create a new bucket for storing encrypted data
- Enable SSE-KMS encryption on that bucket
```
mc mb local/encryptedbucket
mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
```
Write a file to the bucket with mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.