A similar program written in go is available here: Minio Go Client

Minio SSE (Server Side Encryption)

MinIO SSE uses Key Encryption Service (KES) to secure objects at the storage layer.

We can test this using the KMS server at play.min.io

Download the root.key and root.cert fom the play.min.io server:

Code Block

language	text
title	curl

curl -sSL --tlsv1.2  -O 'https://raw.githubusercontent.com/minio/kes/master/root.key'  -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'

Use these to create a secret, mount the secret in the pod, then setup some environment variables to enable SSE.

Code Block

language	yml
title	Minio SSE

apiVersion: v1
kind: Secret
metadata:
  name: kms-ssl
  namespace: default
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEI2dmViR01VZktubUJLeXFvQXBSU09NQVVHQXl0bGNEQWJNUmt3RndZRFZRUUQKREJCeWIyOTBRSEJzWVhrdWJXbHVMbWx2TUI0WERUSXdNRFF6TURFMU1qSXlOVm9YRFRJMU1EUXlPVEUxTWpJeQpOVm93R3pFWk1CY0dBMVVFQXd3UWNtOXZkRUJ3YkdGNUxtMXBiaTVwYnpBcU1BVUdBeXRsY0FNaEFMem43MzVXCmZtU0gvZ2hLcys0aVBXemlaTW1XZGlXci9zcXZxZVcrV3dTeG96VXdNekFPQmdOVkhROEJBZjhFQkFNQ0I0QXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFGQmdNclpYQURRUURaT3JHSwpiMkFUa0RsdTJwVGNQM0x5aFNCRHBZaDdWNFR2alJrQlRSZ2prYWNDendGTG0rbWgrN1VTOFY0ZEJwSURzSjR1CnVXb0YweTZ2YkxWR0lsa0cKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUQ5RTdGU1lXck1EK1ZqaEk2cTU0NWNZVDlZT3lGeFpiN1VuakVlcFlEUmMKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
---
        env:
        - name: MINIO_KMS_KES_ENDPOINT
          value: https://play.min.io:7373
        - name: MINIO_KMS_KES_CERT_FILE
          value: /etc/kms/ssl/tls.crt
        - name: MINIO_KMS_KES_KEY_FILE
          value: /etc/kms/ssl/tls.key
        - name: MINIO_KMS_KES_KEY_NAME
          value: my-first-key
        volumeMounts:
        - mountPath: "/etc/kms/ssl"
          name: kms-ssl
          readOnly: true
      volumes:      
      - name: kms-ssl
        secret:
          secretName: kms-ssl

Check the encryption has been enabled by running the following command:

Code Block

language	text
title	Key Status

mc admin kms key status <minio alias>
Key: my-first-key
   - Encryption ✔
   - Decryption ✔

Create a bucket on your minio server and upload a file to it: mc cp test.txt myminio/encrypt

Run the following command to check the file has been encrypted:

Code Block

language	text
title	mc statt

mc stat myminio/encrypt/test.txt
Name      : test.txt
Date      : 2023-04-11 15:24:48 IST
Size      : 13 B
ETag      : 8c3be95b9d3517d5b9e5d699f2692437
Type      : file
Metadata  :
  Content-Type: text/plain
Encrypted :
  X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: arn:aws:kms:my-first-key
  X-Amz-Server-Side-Encryption               : aws:kms

Links

Configure MinIO for Authentication using OpenID

...

Python Client API Reference

Python Keycloak

Server-Side Object Encryption with Hashicorp Vault Root KMS

How to Secure MinIO - Part 1

...

Version	Old Version 6	New Version 7
Changes made by	Kevin Timoney	Kevin Timoney
Saved on	Apr 11, 2023	Apr 11, 2023

Page Comparison

Versions Compared

Key

Minio SSE (Server Side Encryption)

Links