This is the Kypello fork of MinIO KES, part of the Kypello ecosystem.
This repository is a community-maintained fork of MinIO KES under the AGPLv3 license. It is maintained by the Kypello project to provide key encryption services for Kypello Object Storage and other S3-compatible deployments.
Maintenance Policy: This fork receives bug fixes, security updates, and dependency updates only. New features are contributed upstream to MinIO KES when possible.
KES is a cloud-native distributed key management and encryption server designed to secure modern applications at scale.
Kypello KES is part of the Kypello project, a community-maintained fork of MinIO that preserves enterprise features like OIDC/SSO and the Admin UI under the AGPLv3 license. KES provides encryption key management for:
- Kypello Object Storage - S3-compatible object store (see kypello-io/kypello)
- Server-side encryption (SSE-S3, SSE-KMS)
- Client-side encryption
- Other applications requiring secure key management
KES (Key Encryption Service) is a distributed key management server that scales horizontally. It can either be run as edge server close to the applications reducing latency to and load on a central key management system (KMS) or as central key management service. KES nodes are self-contained stateless instances that can be scaled up and down automatically.
The KES server and CLI is available as a single binary, container image or can be build from source.
Homebrew
Note: A kypello-io Homebrew tap is not yet available. Use binary releases or build from source instead.
For development, you can install the upstream MinIO KES which is API-compatible:
brew install minio/stable/kesBinary Releases
| OS | ARCH | Binary |
|---|---|---|
| linux | amd64 | linux-amd64 |
| linux | arm64 | linux-arm64 |
| darwin | arm64 | darwin-arm64 |
| windows | amd64 | windows-amd64 |
Download the binary via curl but replace <OS> and <ARCH> with your operating system and CPU architecture.
curl -sSL --tlsv1.2 'https://github.com/kypello-io/kes/releases/latest/download/kes-<OS>-<ARCH>' -o ./kes
chmod +x ./kes
You can also verify the binary with minisign by downloading the corresponding .minisig signature file.
Run:
curl -sSL --tlsv1.2 'https://github.com/kypello-io/kes/releases/latest/download/kes-<OS>-<ARCH>.minisig' -o ./kes.minisig
minisign -Vm ./kes -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
Note: If using minisign verification, the signing key may still be MinIO's key until Kypello establishes its own signing infrastructure.
Build from source
Download and install the binary via your Go toolchain:
go install github.com/kypello-io/kes/cmd/kes@latestGet started by setting up your own KES server in less than five minutes. This guide uses a local development configuration.
First steps
For testing and development, start a KES server with in-memory storage:
kes server --devThis starts KES at https://127.0.0.1:7373 with a self-signed certificate and prints the API key to the console.
In a new terminal, point the KES CLI to your local server:
export KES_SERVER=https://127.0.0.1:7373
export KES_API_KEY=<copy-from-server-output>Create a new root encryption key - e.g. my-key:
kes key create my-key
Note: Creating a key will fail with
key already existsif it already exists.
Derive a new data encryption key (DEK):
kes key dek my-keyThe plaintext part of the DEK is used by applications to encrypt data. The ciphertext part is stored alongside the encrypted data for future decryption.
Production Setup: For production deployments, configure KES with a proper KMS backend (Vault, AWS KMS, etc.) instead of in-memory storage. See the integration guides for details.
Kypello KES maintains API compatibility with upstream MinIO KES. Most documentation applies directly to this fork.
- MinIO KES Documentation - Comprehensive KES documentation
- Integration Guides - Supported KMS backends
- Command Line - CLI reference
- Server API - HTTP API documentation
- Go SDK - Compatible Go client library
Note: This fork maintains compatibility with upstream MinIO KES. The upstream documentation applies directly. For Kypello-specific configurations or integration with Kypello Object Storage, see the examples in this repository.
KES servers provide an API endpoint /v1/metrics that observability tools like Prometheus can scrape.
Refer to the monitoring documentation for setup instructions.
For a graphical Grafana dashboard, refer to the example.
I have received an insufficient permissions error
This means that you are using a KES identity that is not allowed to perform a specific operation, like creating or listing keys.
The KES admin identity
can perform any general purpose API operation. You should never experience a not authorized: insufficient permissions
error when performing general purpose API operations using the admin identity.
In addition to the admin identity, KES supports a policy-based access control model.
You will receive a not authorized: insufficient permissions error in the following two cases:
-
You are using a KES identity that is not assigned to any policy. KES rejects requests issued by unknown identities.
This can be fixed by assigning a policy to the identity. Checkout the examples.
-
You are using a KES identity that is assigned to a policy but the policy either not allows or even denies the API call.
In this case, you have to grant the API permission in the policy assigned to the identity. Checkout the list of APIs. For example, when you want to create a key you should allow the
/v1/key/create/<key-name>. The<key-name>can either be a specific key name, likemy-key-1or a pattern allowing arbitrary key names, likemy-key*.Also note that deny rules take precedence over allow rules. Hence, you have to make sure that any deny pattern does not accidentally matches your API request.
Use of KES is governed by the AGPLv3 license that can be found in the LICENSE file.
This project is a fork of MinIO KES, originally developed by MinIO, Inc. and licensed under AGPLv3. The Kypello fork maintains the same AGPLv3 license terms with no commercial exception.