KMS Quickstart Guide
KMS feature allows you to use Vault to generate and manages keys which are used by the minio server to encrypt objects.This document explains how to configure Minio with Vault as KMS.
Install Minio - Minio Quickstart Guide.
2. Configure Vault
Vault as Key Management System requires following to be configured in Vault
- transit backend configured with a named encryption key-ring
- AppRole based authentication with read/update policy for transit backend. In particular, read and update policy are required for the generate data key endpoint and decrypt key endpoint.
You'll need the Vault endpoint, AppRole ID, AppRole SecretID, encryption key-ring name before starting Minio server with Vault as KMS
export MINIO_SSE_VAULT_APPROLE_ID=9b56cc08-8258-45d5-24a3-679876769126 export MINIO_SSE_VAULT_APPROLE_SECRET=4e30c52f-13e4-a6f5-0763-d50e8cb4321f export MINIO_SSE_VAULT_ENDPOINT=https://vault-endpoint-ip:8200 export MINIO_SSE_VAULT_KEY_NAME=my-minio-key minio server ~/export
4. Test your setup
To test this setup, access the Minio server via browser or
mc. You’ll see the uploaded files are accessible from the all the Minio endpoints.