Table of Contents
The following command sets the default
SSE-KMS encryption key for the bucket
mydata on the
myminio MinIO deployment:
mc encrypt set sse-kms "minio-encryption-key" myminio/mydata
The command has the following syntax:
mc [GLOBALFLAGS] encrypt set ENCRYPTION [KMSKEY] ALIAS
 indicate optional parameters.
Parameters sharing a line are mutually dependent.
Parameters seperated using the pipe
| operator are mutually exclusive.
Copy the example to a text editor and modify as-needed before running the command in the terminal/shell.
Specify the server-side encryption type to use as the default SSE mode. Supports the following values:
sse-kms - Encrypt objects using the key specified in
must have access to the specified key on the external KMS to
successfully encrypt or decrypt objects protected using SSE-KMS.
sse-s3 - Encrypt objects using the key specified to
MINIO_KMS_KES_KEY_NAME. MinIO must have access to the
specified key on the external KMS to successfully encrypt or decrypt
objects protected using SSE-S3.
Specify the KMS Master Key to use for performing SSE object encryption. This
option only applies if
Omit this option to direct MinIO to use the
The full path to the bucket on which to set the default SSE mode. Specify the alias of the MinIO deployment as the prefix to the TARGET path. For example:
mc encrypt set ENCRYPTION [KMSKEY] play/mybucket
The path to a
JSON formatted configuration file that
mc uses for storing data. See Configuration File for
more information on how mc uses the configuration file.
Enables JSON lines formatted output to the console.
mc --JSON COMMAND
Disables TLS/SSL certificate verification. Allows TLS connectivity to servers with invalid certificates. Exercise caution when using this option against untrusted S3 hosts.
Displays the current version of
The following commands assumes that:
The MinIO server configuration supports SSE-KMS
The root has an encryption key
mc encrypt set sse-kms minio-encryption-key myminio/data
mc encrypt set ENCRYPTION KMSKEY TARGET
on the preferred encryption mode.
KMSKEY with the name of the encryption key on the
configured root KMS. This argument has no effect with
TARGET with the alias of the
MinIO deployment on which to configure automatic server-side bucket
mc encrypt set makes no assumptions about the MinIO server’s current
encryption state. Specifying default encryption settings which the
server cannot support may result in undesired behavior.
Setting or modifying the default server-side encryption settings does not
automatically encrypt or decrypt the existing bucket contents. If the bucket
contents must have consistent encryption, use the
mc mv mc with the
--encrypt-key arguments to manually modify the
encryption settings or encrypted state of the bucket contents before
changing the bucket default.