Versions Compared

Version Old Version 7 New Version Current
Changes made by

Kevin Timoney

Kevin Timoney

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A similar program written in go is available here: Minio Go Client

Minio SSE (Server Side Encryption)

MinIO SSE uses Key Encryption Service (KES) to secure objects at the storage layer.

We can test this using the KMS server at play.min.io

...

Keycloak over SSL

If you are using keycloak over SSL you'll need to copy the CA certifcate for keycloak in to the /root/.minio/certs/CAs directory.

This is required so Minio can read the keycloak endpoints over https.

You can create a secret to store and CA and then mount it in the /root/.minio/certs/CAs directory

Code Block
languagetext
titlecurlCA secret
curlkubectl -sSL --tlsv1.2  -O 'https://raw.githubusercontent.com/minio/kes/master/root.key'  -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'

Use these to create a secret, mount the secret in the pod, then setup some environment variables to enable SSE.

Code Block
languageyml
titleMinio SSE
apiVersion: v1
kind: Secret
metadata:
  name: kms-ssl
  namespace: default
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEI2dmViR01VZktubUJLeXFvQXBSU09NQVVHQXl0bGNEQWJNUmt3RndZRFZRUUQKREJCeWIyOTBRSEJzWVhrdWJXbHVMbWx2TUI0WERUSXdNRFF6TURFMU1qSXlOVm9YRFRJMU1EUXlPVEUxTWpJeQpOVm93R3pFWk1CY0dBMVVFQXd3UWNtOXZkRUJ3YkdGNUxtMXBiaTVwYnpBcU1BVUdBeXRsY0FNaEFMem43MzVXCmZtU0gvZ2hLcys0aVBXemlaTW1XZGlXci9zcXZxZVcrV3dTeG96VXdNekFPQmdOVkhROEJBZjhFQkFNQ0I0QXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFGQmdNclpYQURRUURaT3JHSwpiMkFUa0RsdTJwVGNQM0x5aFNCRHBZaDdWNFR2alJrQlRSZ2prYWNDendGTG0rbWgrN1VTOFY0ZEJwSURzSjR1CnVXb0YweTZ2YkxWR0lsa0cKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUQ5RTdGU1lXck1EK1ZqaEk2cTU0NWNZVDlZT3lGeFpiN1VuakVlcFlEUmMKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
---
        env:
        - name: MINIO_KMS_KES_ENDPOINT
          value: https://play.min.io:7373
create secret generic keycloak-ca-secret --from-file=keycloak-ca.crt=rootCA.crt

Minio SSE (Server Side Encryption)

MinIO SSE uses Key Encryption Service (KES) to secure objects at the storage layer.

We can test this using the KMS server at play.min.io

Download the root.key and root.cert fom the play.min.io server: 

Code Block
languagetext
titlecurl
curl -sSL --tlsv1.2  -O 'https://raw.githubusercontent.com/minio/kes/master/root.key'  -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'

Use these to create a secret, mount the secret in the pod, then setup some environment variables to enable SSE.

Code Block
languageyml
titleMinio SSE
apiVersion: v1
kind: Secret
metadata:
  name: kms-ssl
  namespace: default
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEI2dmViR01VZktubUJLeXFvQXBSU09NQVVHQXl0bGNEQWJNUmt3RndZRFZRUUQKREJCeWIyOTBRSEJzWVhrdWJXbHVMbWx2TUI0WERUSXdNRFF6TURFMU1qSXlOVm9YRFRJMU1EUXlPVEUxTWpJeQpOVm93R3pFWk1CY0dBMVVFQXd3UWNtOXZkRUJ3YkdGNUxtMXBiaTVwYnpBcU1BVUdBeXRsY0FNaEFMem43MzVXCmZtU0gvZ2hLcys0aVBXemlaTW1XZGlXci9zcXZxZVcrV3dTeG96VXdNekFPQmdOVkhROEJBZjhFQkFNQ0I0QXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFGQmdNclpYQURRUURaT3JHSwpiMkFUa0RsdTJwVGNQM0x5aFNCRHBZaDdWNFR2alJrQlRSZ2prYWNDendGTG0rbWgrN1VTOFY0ZEJwSURzSjR1CnVXb0YweTZ2YkxWR0lsa0cKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUQ5RTdGU1lXck1EK1ZqaEk2cTU0NWNZVDlZT3lGeFpiN1VuakVlcFlEUmMKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
---
       - nameenv:
MINIO_KMS_KES_CERT_FILE        - name: MINIO_KMS_KES_ENDPOINT
          value: https:/etc/kms/ssl/tls.crt/play.min.io:7373
        - name: MINIO_KMS_KES_KEYCERT_FILE
          value: /etc/kms/ssl/tls.keycrt
        - name: MINIO_KMS_KES_KEY_NAMEFILE
          value: my-first-key/etc/kms/ssl/tls.key
        - volumeMountsname:   MINIO_KMS_KES_KEY_NAME
          value: my-first-key
        volumeMounts:
        - mountPath: "/etc/kms/ssl"
          name: kms-sslssl
          readOnly: true
      volumes:      
      - name: kms-ssl
        secret:
          secretName: kms-ssl

Check the encryption has been enabled by running the following command:

Code Block
languagetext
titleKey Status
mc admin kms key status <minio alias>
Key: my-first-key
   - Encryption ✔
   - Decryption ✔


Create a bucket on your minio server and upload a file to it: mc cp test.txt myminio/encrypt

Run the following command to check the file has been encrypted:

Code Block
languagetext
titlemc statt
mc stat myminio/encrypt/test.txt
Name      : test.txt
Date      : 2023-04-11 15:24:48 IST
Size      : 13 B
ETag      : 8c3be95b9d3517d5b9e5d699f2692437
Type      : file
Metadata  :
  Content-Type: text/plain
Encrypted :
  X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: arn:aws:kms:my-first-key
  X-Amz-Server-Side-Encryption               : aws:kms

If you try to view the file on the hard drive you will see the following:

Code Block
languagetext
titletest.txt
cat test.txt/xl.meta
XL2 ��$���T�l[��8����!�䃤Type�V2Obj��ID��DDir���|C�\DBO8�EcAlgo�EcM�EcN�EcBSize��EcIndex�EcDist��CSumAlgo�Pa�Size-�MTime�T�l[��8�MetaSys��x-minio-internal-inline-data�true�9X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-KeyĴlbFBRVMyNTYtR0NNX1NIQTI1NtkgNmRlYWM3N2QxYTM4OWViMGUyOGQ3OWFmMTg1NTRkYTPEEPO6T631t4/N7XQ6Fe/F06zEDBPSiv8jcucioK+AuMQwiSKMoCs6ccJ3OAFoeHJ+5N1gWwaBaMaL18JNXXfQVaHb8ed9Gj6W566lXcDMpWTd�6X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm�DAREv2-HMAC-SHA256�*X-Minio-Internal-Server-Side-Encryption-Iv�,7TMvCi8frGGEx7qFSmJyL/xSoPJsom2E3eN8AaVwcD0=�6X-Minio-Internal-Server-Side-Encryption-Kms-Sealed-Key�XIAAfALq9UzWoSFkk3jZ3aCUso5gjvB0NymrfanM91hRx09V1vaJW4BsO82NXMH+RLm7ChfM1ErG6Ya6ABIb3EQ==�5X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id�
        my-first-key�MetaUsr��content-type�text/plain�etag�`20000f00f4a8e3628e7f7f3823c26a0b9d4fb2526422ea3dbdedbc64a63d607664f3e7c390bf8fe75eadded80909e086�v�c����&@�.��null�M�2;Z  readOnly:  true    �����ݘ�
  volumes:             - name: kms-ssl         secret:           secretName: kms-ssl

Check the encryption has been enabled by running the following command:

Code Block
languagetext
titleKey Status
mc admin kms key status <minio alias>
Key: my-first-key                 - Encryption     - Decryption ✔

Create a bucket on your minio server and upload a file to it: mc cp test.txt myminio/encrypt

Run the following command to check the file has been encrypted:

Code Block
languagetext
titlemc statt
mc stat myminio/encrypt/test.txt
Name     ��� ��x8��)���
             : test.txt Date      : 2023-04-11 15:24:48 IST Size      : 13 B ETag      : 8c3be95b9d3517d5b9e5d699f2692437 Type      : file Metadata  :   Content-Type: text/plain Encrypted :   X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: arn:aws:kms:my-first-key   X-Amz-Server-Side-Encryption               �5�c: aws:kmsL������s~�#C�r*i�UR�@bPdocker@minikube:/


Links

Configure MinIO for Authentication using OpenID

...