AIStor Key Manager on Baremetal

This page explains how to enable Server-Side Encryption (SSE) with AIStor Key Manager as the Key Management Service (KMS).

Important

Enabling SSE on an AIStor deployment automatically encrypts the backend data for the deployment using the specified default encryption key.

AIStor requires access to the Key Manager to decrypt the backend and start normally. You cannot disable or reset encryption of the backend.

Prerequisites

mc installed with network access to the cluster
A configured alias for AIStor
A Key Manager deployment with a pre-configured identity for use with AIStor. See Key Manager Installation and Management.

How to do it

Retrieve credentials for Key Manager

AIStor Key Manager requires authorization for all access and operations. The Key Manager installation guide includes steps for generating an enclave and API Key for use by AIStor.

The enclave should be unique to the object store and named to facilitate easy identification among other configured enclaves.

The key resembles the following:
```
k1:2COl4dS3G-cjHa3Q-9fUmOrq8yL0Q7a12HH_Yi0oiLw
```

Modify the environment file at /etc/default/minio by adding the following environment key-value pairs. Modify the example values to match your deployment configuration.

# AIStor Key Manager settings

# Provide a comma-separated array of hostnames for the AIStor Key Manager.
# If you use a dedicated load balancer or similar network control plane to manage connections
# to the Key Manager, provide that hostname here instead.
#
# All AIStor nodes **must** have bidirectional access to the specified Key Manager hosts
# to ensure normal cryptographic operations.

MINIO_KMS_SERVER="https://kms-1.example.net,https://kms-2.example.net,https://kms3-example.net"

# Specify the name for the encryption key AIStor uses for backend and default bucket encryption.
# Consider specifying a unique key name to facilitate easy identification among other stored keys.
#
# Do not modify the MINIO_KMS_SSE_KEY value after setup.
# AIStor requires this key to start successfully.

MINIO_KMS_SSE_KEY="object-store-primary-default-key"

# Specify the Key Manager enclave to use

MINIO_KMS_ENCLAVE="object-store-primary"

# Specify the AIStor Key Manager API key to use for authenticating operations.
# The API key must have permission to access and perform operations in the Key Manager enclave

MINIO_KMS_API_KEY="k1:2COl4dS3G-cjHa3Q-9fUmOrq8yL0Q7a12HH_Yi0oiLw"

Important

You must modify all AIStor nodes to have matching environment files. Repeat this step for each AIStor node in the deployment.

Restart the deployment and load the new settings with mc admin service restart.

Alternatively, use an orchestration service, script, or other utility to perform the equivalent of systemctl restart minio on all nodes simultaneously.

Run journalctl -u minio to monitor the restart progress and check that the AIStor starts successfully.
You can now configure automatic SSE-KMS for all objects written to a given bucket.

Run mc admin kms key create to create a new data encryption key for use with a bucket.

You can then run mc encrypt set to configure bucket default encryption using SSE-KMS.

The following example assumes an alias of primary associated to the AIStor.
```
mc admin kms key create primary bucket-data-encryption-key

mc mb primary/data

mc encrypt set sse-kms bucket-data-encryption-key primary/data
```
If you create an object in the bucket and run mc stat against the object, the output includes encryption information as part of the object metadata.

Disabling, deleting, or otherwise removing access to the key renders the encrypted object as unreadable.