Enclave Management

MinIO Key Management Service (KMS) uses an enclave-based architecture to manage cryptographic keys. Each enclave provides isolation for groups cryptographic keys and resources stored in MinIO KMS, such as all of the keys for a specific AIStor object store cluster. You can create multiple enclaves within a single KMS deployment to separate keys for different object stores, applications, or teams.

MinIO KMS also integrates authentication and access control into enclaves, where non-root identity exist and act within the scope of a single enclave. You can create either admin identities with full access to all key and identity operations, or user identities with limited policy-controlled access to operations. Both user types can only perform operations within their respective enclave.

The following diagram provides a visual overview of how MinIO KMS separates enclaves and their respective resources:

k k e e K y y o E - - b Y 1 2 j S e c t E - n s c t l o a r v e I a u e - D d s d E m e c N i r - T n - 1 I - 1 T 1 I E S M i n I O K M S k k e e K y y o E - - b Y 1 2 j S e c t E - n s c t l o a r v e I a u e - D d s d E m e c N i r - T n - 2 I - 1 T 1 I E S

All keys and identities are scoped to a specific enclave. A user authenticating against one enclave cannot access keys or perform other operations within a different enclave. MinIO KMS does not support sharing keys or identities between enclaves, although you can add the same key to multiple enclaves if necessary.

Only the root user can perform enclave operations, such as creating or deleting enclaves.

Create a new enclave

Use the minkms add enclave command to create a new enclave. The following example assumes an AIStor object store named ‘primary’ for constructing the enclave name:

minkms add-enclave aistor-object-store-primary --api-key k1:<ROOT-API-KEY>

Specify the k1:<ROOT-API-KEY> secret key of the root identity. Only the root user can perform enclave operations.

When performing cryptographic key operations, you must specify the enclave to use. For example, the following command adds a new customer managed key (CMK) to the aistor-object-store-primary enclave:

minkms add-key data-bucket-encryption-key --enclave aistor-object-store-primary --api-key k1:<ADMIN-API-KEY>

The --api-key option specifies the API key of an identity that has write access to the specified enclave, such as an admin identity created using the minkms add-identity command.

Delete an enclave

Deleting an enclave removes all cryptographic keys stored within the enclave. If you don’t have a backup from which to restore the deleted keys, data encrypted with those keys is permanently lost. Use extreme caution when performing this operation.

Use the minkms rm-enclave command to delete an existing enclave:

minkms rm-enclave aistor-object-store-primary --api-key k1:<ROOT-API-KEY>

Specify the k1:<ROOT-API-KEY> secret key of the root identity. Only the root user can perform operations that manage an enclave, such as creation or deletion.