Server-Side Object Encryption with AWS Secrets Manager Root KMS — MinIO Object Storage for Azure Kubernetes Service (2023)

Table of Contents

  • Prerequisites

  • Deploy MinIO Tenant with Server-Side Encryption using AWS SecretsManager

  • Configuration Reference for AWS Root KMS

MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest).SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.

MinIO SSE uses Key Encryption Service (KES) and an external root Key Management Service (KMS) for performing secured cryptographic operations at scale.The root KMS provides stateful and secured storage of External Keys (EK) while KES is stateless and derives additional cryptographic keys from the root-managed EK.

This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation, with a cluster-accessible AWS Secrets Manager service as the external root KMS.As part of this procedure, you will:

  1. Use the MinIO Operator Console to create or manage a MinIO Tenant.

  2. Access the Encryption settings for that tenant and configure SSE using AWS Secrets Manager as the root KMS.

  3. Create a new EK on Vault for use with SSE.

  4. Configure automatic bucket-default SSE-KMS.

For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and AWS Secrets Manager.

Important

Enabling SSE on a MinIO deployment automatically encrypts the backend data for that deployment using the default encryption key.

MinIO requires access to KES and the root KMS to decrypt the backend and start normally.You cannot disable KES later or “undo” the SSE configuration at a later point.

Prerequisites

MinIO Kubernetes Operator and Plugin

The procedures on this page requires a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator.This procedure assumes the latest stable Operator and Plugin version 4.5.8.

See Deploy the MinIO Operator for complete documentation on deploying the MinIO Operator.

Ensure Access to the AWS Secrets Manager and Key Management Service

This procedure assumes access to and familiarity with AWS Secrets Manager and |rootkms-short|.

This procedure assumes your Kubernetes cluster configuration allows for cluster-internal pods and services to resolve and connect to endpoints outside of the cluster, such as the public internet.

MinIO specifically requires the following AWS settings or configurations:

  • A new AWS Programmatic Access user with corresponding access key and secret key.

  • A policy that grants the created user access to AWS Secrets Manager and AWS Secrets Manager.The following policy grants the minimum necessary permissions:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "minioSecretsManagerAccess", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "minioKmsAccess", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt" ], "Effect": "Allow", "Resource": "*" } ]}

    AWS provides the SecretsManagerReadWrite andAWSKeyManagementServicePowerUser canned roles that meet and exceed theminimum required permissions.

Deploy MinIO Tenant with Server-Side Encryption using AWS SecretsManager

1) Access the Operator Console

Use the kubectl minio proxy command to temporarily forward traffic between the local host machine and the MinIO Operator Console:

kubectl minio proxy

The command returns output similar to the following:

Starting port forward of the Console UI.To connect open a browser and go to http://localhost:9090Current JWT to login: TOKEN

Open your browser to the specified URL and enter the JWT Token into the login page.You should see the Tenants page:

Click the + Create Tenant to start creating a MinIO Tenant.

2) Complete the Encryption Section

To enable SSE with AWS Key Management Service during Tenant deployment, select the Encryption section and toggle the switch to Enabled.You can then change the Vault Radio button to AWS to display the configuration settings.

An asterisk * marks required fields.The following table provides general guidance for those fields:

Field

Description

Endpoint

Region

The hostname and AWS region for the AWS Secrets Manager instance (https://secretmanager.us-east-2.amazonaws.com and us-east-2) to use for SSE.

The MinIO Tenant KES pods must have network access to the specified endpoint.This procedure assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.

Access Key

Secret Key

Token

Specify the AWS User Access Key and Secret Key MinIO should use when authenticating to the Vault service.Review the AWS Prerequisites for instructions on generating these values.

Once you have completed the AWS KMS configuration, you can finish any remaining sections of Tenant Deployment.

3) Generate a New Encryption Key

Unseal Vault Before Creating Key

You must unseal the backing Vault instance before creating new encryption keys.See the Vault documentation on Seal/Unseal for more information.

MinIO requires that the EK for a given bucket or object exist on the root KMS before performing SSE operations using that key.You can use the mc admin kms key create command against the MinIO Tenant.

You must ensure your local host can access the MinIO Tenant pods and services before using mc to manage the Tenant.You can manually port forward the minio service for temporary access via the local host.

Run this command in a separate Terminal or Shell:

# Replace '-n minio' with the namespace of the MinIO deployment# If you deployed the Tenant without TLS you may need to change the port range# You can validate the ports in use by running# kubectl get svc/minio -n miniokubectl port forward svc/minio 443:443 -n minio

The following commands in a new Terminal or Shell window:

  • Connect a local mc client to the Tenant.

  • Create the encryption key.

See Quickstart for instructions on installing mc on your local host.

# Replace USERNAME and PASSWORD with a user on the tenant with administrative permissions# such as the root usermc alias add k8s https://localhost:443 ROOTUSER ROOTPASSWORD# Replace my-new-key with the name of the key you want to use for SSE-KMSmc admin kms key create k8s encrypted-bucket-key

4) Enable SSE-KMS for a Bucket

You can use either the MinIO Tenant Console or the MinIO mc CLI to enable bucket-default SSE-KMS with the generated key:

You can manually port forward the MinIO Tenant Console service to your local host machine for simplified access:

# Replace 'minio-tenant' with the name of the MinIO Tenant# Replace '-n minio' with the namespace of the MinIO Tenantkubectl port-forward svc/minio-tenant-console 9443:9443 -n minio

Open the MinIO Console by navigating to http://127.0.0.1:9443 in your preferred browser and logging in with the root credentials for the deployment.

Once logged in, create a new Bucket and name it to your preference.Select the Gear icon to open the management view.

Select the pencil icon next to the Encryption field to open the modal for configuring a bucket default SSE scheme.

Select SSE-KMS, then enter the name of the key created in the previous step.

Once you save your changes, try to upload a file to the bucket.When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.This indicates the successful encrypted state of the object.

You can manually port forward the minio service for temporary access via the local host.

Run this command in a separate Terminal or Shell:

# Replace '-n minio' with the namespace of the MinIO deployment# If you deployed the Tenant without TLS you may need to change the port range# You can validate the ports in use by running# kubectl get svc/minio -n miniokubectl port forward svc/minio 443:443 -n minio

The following commands in a new Terminal or Shell window:

  • Create a new alias for the MinIO deployment

  • Create a new bucket for storing encrypted data

  • Enable SSE-KMS encryption on that bucket

mc alias set k8s https://127.0.0.1:443 ROOTUSER ROOTPASSWORDmc mb k8s/encryptedbucketmc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucket

Write a file to the bucket using mc cp or any S3-compatible SDK with a PutObject function.You can then run mc stat on the file to confirm the associated encryption metadata.

Configuration Reference for AWS Root KMS

The following section describes each of the Key Encryption Service (KES) configuration settings forusing AWS Secrets Manager and AWS KMS as the root Key Management Service(KMS) for SSE:

The following YAML describes the minimum required fields for configuringAWS Secrets Manager as an external KMS for supporting SSE.

Any field with value ${VARIABLE} uses the environment variablewith matching name as the value. You can use this functionality to setcredentials without writing them to the configuration file.

address: 0.0.0.0:7373root: ${ROOT_IDENTITY}tls: key: kes-server.key cert: kes-server.certpolicy: minio-server: allow: - /v1/key/create/* - /v1/key/generate/* - /v1/key/decrypt/* identities: - ${MINIO_IDENTITY}keys: - name: "minio-encryption-key-alpha" - name: "minio-encryption-key-baker" - name: "minio-encryption-key-charlie"keystore: secretsmanager: endpoint: secretsmanager.REGION.amazonaws region: REGION kmskey: "" credentials: accesskey: "${AWS_ACCESS_KEY}" secretkey: "${AWS_SECRET_KEY}"

Key

Description

address

The network address and port the KES server listens to on startup.Defaults to port 7373 on all host network interfaces.

root

The identity for the KES superuser (root) identity.Clients connecting with a TLS certificate whose hash (kes identity of client.cert) matches this value have access to all KES API operations.

Specify disabled to remove the root identity and rely only on the policy configuration for controlling identity and access management to KES.

tls

The TLS private key and certificate used by KES for establishing TLS-secured communications.Specify the full path for both the private .key and public .cert to the key and cert fields, respectively.

policy

Specify one or more policies to control access to the KES server.

MinIO SSE requires access to the following KES cryptographic APIs:

  • /v1/key/create/*

  • /v1/key/generate/*

  • /v1/key/decrypt/*

Specifying additional keys does not expand MinIO SSE functionality and may violate security best practices around providing unnecessary client access to cryptographic key operations.

You can restrict the range of key names MinIO can create as part of performingSSE by specifying a prefix before the *. For example,minio-sse-* only grants access to create, generate, or decrypt keys usingthe minio-sse- prefix.

KES uses mTLS to authorize connecting clients by comparing thehash of the TLS certificate against the identities of each configuredpolicy. Use the kes identity of command to compute the identity of theMinIO mTLS certificate and add it to the policy.<NAME>.identities arrayto associate MinIO to the <NAME> policy.

keys

Specify an array of keys which must exist on the root KMS for KES tosuccessfully start. KES attempts to create the keys if they do not exist andexits with an error if it fails to create any key. KES does not accept anyclient requests until it completes validation of all specified keys.

keystore.aws.secretsmanager

The configuration for the AWS Secrets Manager and AWS KMS.

  • endpoint - The endpoint for the Secrets Manager service,including the region.

  • approle - The AWS region to use for other AWS services.

  • kmskey - The root KMS Key to use for cryptographicoperations. Formerly known as the Customer Master Key.

  • credentials - The AWS Credentials to use for performingauthenticated operations against Secrets Manager and KMS.

    The specified credentials must have the appropriatepermissions

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Server-Side Object Encryption with AWS Secrets Manager Root KMS — MinIO Object Storage for Azure Kubernetes Service (3)

Top Articles
Latest Posts
Article information

Author: Kimberely Baumbach CPA

Last Updated: 01/21/2023

Views: 5471

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.