Server Side Encryption Settings

AIStor Server includes three groups of environment variables to manage how the server interacts with the AIStor Key Management Service (KMS), Key Encryption Service (KES), or static key files. You may only define one of the three sets, where defining more that one group results in errors and failure to start.

Each configuration setting controls fundamental AIStor behavior and functionality. Test configuration changes in a lower environment, such as DEV or QA, before applying to production.

Define any one set of these environment variables in the host system prior to starting or restarting the AIStor process. Refer to your operating system’s documentation for how to define an environment variable.

MinIO Key Management Server (KMS)

Define the following variables to use MinIO KMS to manage keys.

MINIO_KMS_SERVER

The endpoint(s) for the AIStor Key Manager process to use for supporting SSE-S3 and AIStor Server backend encryption operations. Separate multiple endpoints with a comma (,).

MINIO_KMS_ENCLAVE

The AIStor Key Manager Enclave where the key and identity exist.

MINIO_KMS_SSE_KEY

The default key to use for SSE-S3 encryption when a call does not specify a key identity.

MINIO_KMS_API_KEY

The credential used to authenticate with the AIStor Key Manager service.

Key Encryption Service

Define the following variables to use the Key Encryption Service (KES) to connect to a supported 3rd party Key Management Service provider.

MINIO_KMS_KES_ENDPOINT

The endpoint(s) for the MinIO Key Encryption Service (KES) process to use for supporting SSE-S3 and MinIO backend encryption operations. Separate multiple KES endpoints with a comma (,).

MINIO_KMS_KES_KEY_NAME

The name of an external key on the Key Management system (KMS) configured on the KES server and used for performing en/decryption operations. AIStor uses this key for the following:

  • Encrypting backend data (IAM, server configuration).
  • The default encryption key for Server-Side Encryption with SSE-KMS.
  • The encryption key for Server-Side Encryption with SSE-S3.

Enabling on a AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the external KMS to decrypt the backend and start normally. The KMS must maintain and provide access to the MINIO_KMS_KES_KEY_NAME. You cannot disable KES later or “undo” the configuration at a later point.

MINIO_KMS_KES_API_KEY

Preferred method for authenticating with the encryption service using the KES API key obtained from the kes identity new command.

This environment variable is mutually exclusive with the MINIO_KMS_KES_KEY_FILE and MINIO_KMS_KES_CERT_FILE environment variables.

MINIO_KMS_KES_KEY_FILE

The private key associated to the the MINIO_KMS_KES_CERT_FILE x.509 certificate to use when authenticating to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

See the KES wiki for more complete documentation on KES access control.

You must also set the MINIO_KMS_KES_CERT_FILE. This variable is mutually exclusive with MINIO_KMS_KES_API_KEY.

MINIO_KMS_KES_CERT_FILE

The x.509 certificate to present to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

The KES server computes an identity from the certificate and compares it to its configured policies. The KES server grants the minio server access to only those operations explicitly granted by the policy.

See the KES wiki for more complete documentation on KES access control.

You must also set the MINIO_KMS_KES_KEY_FILE. This variable is mutually exclusive with MINIO_KMS_KES_API_KEY.

MINIO_KMS_KES_CAPATH

Optional

Allows validation of the KES Server Certificate for a Self-Signed or Third-Party . Specify the path to the location of the certificate for your KES deployment.

This variable is not required if you use a public certificate authority.

MINIO_KMS_KES_KEY_PASSWORD

Optional

The password used to encrypt and decrypt the TLS private key, if used.

MINIO_KMS_AUTO_ENCRYPTION

Optional

If a KMS is configured, AIStor Server automatically encrypts all objects. Set this environment variable to off to disable this.

If set to off, you must manually enable encryption on a per-bucket basis.

Previously, you had to explicitly enable the auto encryption of all objects by setting this value to on.

Static Key Files

Provide a static KMS key or key file to use for encryption.

MINIO_KMS_SECRET_KEY

The base64 form of the static KMS key in the form <key-name>:<base64-32byte-key>. Implements a subset of KMS APIs.

MINIO_KMS_SECRET_KEY_FILE

Path to the file to read the static KMS key from.

Key replication

MINIO_KMS_REPLICATE_KEYID

Set to false to prevent key IDs from replicating as part of the object’s metadata when bucket or site replication is enabled. When an object has no key ID, AIStor Server uses the site or bucket’s configuration.

If different sites use separate KMS clusters with distinct keys, set this environment variable to false.

By default, the key ID replicates with the object.

All rights reserved 2024-Present, MinIO, Inc.