b1845c6c83
This commit changes the data key generation such that if a MinIO server/nodes tries to generate a new DEK but the particular master key does not exist - then MinIO asks KES to create a new master key and then requests the DEK again. From now on, a SSE-S3 master key must not be created explicitly via: `kes key create <key-name>`. Instead, it is sufficient to just set the env. var. ``` export MINIO_KMS_KES_KEY_NAME=<key-name> ``` However, the MinIO identity (mTLS client certificate) must have the permission to access the `/v1/key/create/` API. Therefore, KES policy for MinIO must look similar to: ``` [ /v1/key/create/<key-name-pattern> /v1/key/generate/<key-name-pattern> /v1/key/decrypt/<key-name-pattern> ] ``` However, in our guides we already suggest that. See e.g.: https://github.com/minio/kes/wiki/MinIO-Object-Storage#kes-server-setup *** The ability to create master keys on request may also be necessary / useful in case of SSE-KMS. |
||
|---|---|---|
| .. | ||
| config.go | ||
| doc.go | ||
| error.go | ||
| header.go | ||
| header_test.go | ||
| help.go | ||
| kes.go | ||
| key.go | ||
| key_test.go | ||
| kms.go | ||
| kms_test.go | ||
| legacy.go | ||
| metadata.go | ||
| metadata_test.go | ||
| parse.go | ||
| parse_test.go | ||
| retry.go | ||
| sse.go | ||
| sse_test.go | ||
| vault.go | ||
| vault_test.go | ||