Installation

MinIO Key Management Service (KMS) supports installation on to Linux and Kubernetes infrastructures.

The following table lists the minimum requirements for a MinIO KMS server

Security standards typically discourage storing encryption keys on the same hosts as the encrypted data. As such, consider deploying MinIO KMS onto physical or virtual hosts that are fully separated or independent from the AIStor Object Store clusters they support.

MinIO KMS requires using TLS for all connections to ensure complete security of transmitted cryptographic data. For production environments, generate certificates signed by a trusted or managed Certificate Authority. If the CA is internal, private, or otherwise not typically included in a Global Trust List, the full chain of CA certificates must be available for facilitating TLS validation.

In Linux deployments, defer to your organization’s procedures for minting TLS certificates.

In Kubernetes deployments, the KMS Operator can automatically provision certificates using the Kubernetes TLS API. Other applications within Kubernetes can connect and trust MinIO KMS through the Kubernetes cluster Certificate Authority.

The following table provides recommendations for TLS keys used by MinIO KMS:

MinIO KMS supports the following TLS ciphers for TLS 1.3 and 1.2:

• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256
• TLS_AES_256_GCM_SHA384

Running in FIPS-mode enables only AES ciphers.

• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Running in FIPS-mode enables only AES ciphers.

MinIO KMS supports the following public key signature algorithms:

• RSA-2048 up to RSA-4096, OAEP and PSS
• ECDSA with P-256, P-384 and P-521
• EdDSA/Ed25519

Running in FIPS-mode enables only AES ciphers.

MinIO KMS supports the following signature hash functions:

• SHA2-256
• SHA2-384
• SHA2-512