Server Side Encryption with KES

This page explains how to deploy AIStor with KES for Server Side Encryption. For instructions on running KES, see the KES docs.

Broadly, the required steps are:

1. Create a new external key (EK) for server-side encryption (SSE).

2. Create or modify an AIStor deployment to support SSE with KES.

3. Configure automatic bucket-default SSE.

• AIStor access with mc configured with an alias

• An existing KES installation connected to a supported KMS installation, both accessible from the local host. Refer to the installation instructions for your supported KMS target to deploy KES and connect it to a KMS solution:

• AWS Secrets Manager

• Azure KeyVault

• Entrust KeyControl

• Fortanix SDKMS

• Google Cloud Secret Manager

• HashiCorp Vault

• Thales CipherTrust Manager (formerly Gemalto KeySecure)

1. Generate a KES API key for AIStor

   Run the kes identity new command to generate a new API key:

   kes identity new
   

   The output includes both the API key for AIStor and the identity hash for the KES Policy configuration.

2. Edit the AIStor environment file

   Create or modify the environment file for all hosts in the target deployment to include the following environment variables:

   # Add these environment variables to the existing environment file
   
   MINIO_KMS_KES_ENDPOINT=https://HOSTNAME:7373
   MINIO_KMS_KES_API_KEY="kes:v1:ACTpAsNoaGf2Ow9o5gU8OmcaG6Af/VcZ1Mt7ysuKoBjv"
   
   # Allows validation of the KES Server Certificate (Self-Signed or Third-Party CA)
   # Change this path to the location of the KES CA Path
   MINIO_KMS_KES_CAPATH=/opt/kes/certs/kes-server.cert
   
   # Sets the default KMS key for the backend and SSE-KMS/SSE-S3 Operations)
   MINIO_KMS_KES_KEY_NAME=minio-backend-default-key
   

   Replace HOSTNAME with the IP address or hostname of the KES server. If the AIStor host machines cannot resolve or reach the specified HOSTNAME, the deployment may return errors or fail to start.

   • If using a single KES server host, specify the IP or hostname of the host
   • If using multiple KES server hosts, specify a comma-separated list of IPs or hostnames of each host

   AIStor uses the MINIO_KMS_KES_KEY_NAME key for the following cryptographic operations:

   • Encrypting the AIStor backend (IAM, configuration, etc.)

   • Encrypting objects using SSE-KMS if the request does not include a specific key.

   • Encrypting objects using SSE-S3.

   AIStor defaults to expecting this file at /etc/default/minio. If you modified your deployment to use a different location for the environment file, modify the file at that location.

3. Start AIStor

   You can use the mc admin service restart command to restart AIStor:

   mc admin service restart ALIAS
   

4. Generate a New Encryption Key

   AIStor requires that the key exist on the KMS before performing operations with the key.

   Run kes key create or mc admin kms key create to add a new key.

   The following command runs mc admin kms key create to add a new External Key (EK) stored on the KMS server for use with encrypting the AIStor backend.

   mc admin kms key create ALIAS KEYNAME
   

5. Enable SSE-KMS for a Bucket

   You can use either the console or the AIStor Client CLI to enable bucket-default SSE-KMS with the generated key:

   AIStor console

   1. In the AIStor console, create a new bucket. Or, select an existing bucket.

   2. In the left-hand menu, select Encryption, provide the required information, and select Save.

   3. Add a file to the bucket, and confirm the associated encryption metadata.

   `mc`

   The following commands:

   • Create a new bucket for storing encrypted data
   • Enable SSE-KMS encryption on that bucket

   mc mb local/encryptedbucket
   mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket
   

   Write a file to the bucket with mc cp or any S3-compatible SDK with a PutObject function. You can then run mc stat on the file to confirm the associated encryption metadata.