First, we need to generate a TLS private key and certificate for our KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity.

The following command generates a new TLS private key (private.key) and a self-signed X.509 certificate (public.crt) issued for the IP 127.0.0.1 and DNS name localhost:

$ kes identity new --ip "127.0.0.1" --cert=public.crt --key=private.key localhost

  Private key:  private.key
  Certificate:  public.crt
  Identity:     2e897f99a779cf5dd147e58de0fe55a494f546f4dcae8bc9e5426d2b5cd35680

If you already have a TLS private key & certificate - e.g. from a WebPKI or internal CA - you can use them instead. Remember to adjust the tls config section later on.

MinIO needs some credentials to access the KES server. The following command generates a new TLS private/public key pair:

$ kes identity new --key=client.key --cert=client.crt MinIO

  Private key:  client.key
  Certificate:  client.crt
  Identity:     02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b

The identity 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b is an unique fingerprint of the public key in client.crt and you can re-compute it anytime:

$ kes identity of client.crt

  Identity:  02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b

Next, we can create the KES server configuration file: config.yml. Please, make sure that the identity in the policy section matches your client.crt identity.

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

admin:
  identity: disabled  # We disable the admin identity since we don't need it in this guide 
   
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
   
policy:
  my-app: 
    allow:
    - /v1/key/create/minio-*
    - /v1/key/generate/minio-*
    - /v1/key/decrypt/minio-*
    identities:
    - 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # Use the identity of your client.crt
   
keystore:
  fs:
    path: ./keys # Choose a directory for the secret keys

Now, we can start a KES server instance:

$ kes server --config config.yml --auth off

On linux, KES can use the mlock syscall to prevent the OS from writing in-memory data to disk (swapping). This prevents leaking senstive data accidentality. The following command allows KES to use the mlock syscall without running with root privileges:

$ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which kes))

Then, we can start a KES server instance with memory protection:

$ kes server --config config.yml --auth off --mlock

You can either download a static binary or follow the MinIO Quickstart Guide.

MinIO needs to know to which KES server it should talk to:

export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373

Further, MinIO needs some access credentials to talk to a KES server. Either an API key:

export MINIO_KMS_KES_API_KEY=<your-key>

or a TLS private key and client certificate:

export MINIO_KMS_KES_CERT_FILE=client.crt

export MINIO_KMS_KES_KEY_FILE=client.key

MinIO needs a default key that it will use if its S3 client does not specify an encryption key.

export MINIO_KMS_KES_KEY_NAME=minio-default-key

MinIO will create this key automatically if it doesn't exist.

When using self-signed certificates, MinIO cannot verify the the KES server certificate. Therefore, we establish the trust relationship manually.

export MINIO_KMS_KES_CAPATH=public.crt

Here, public.crt is the public certificate of the KES server.
This step is optional if the KES server uses a certificate issued by a trusted CA.

First, set the MinIO root credentials:

export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123

Then, start MinIO:

minio server /data

First, create a new key for your bucket. For example:

mc admin kms key create <alias> minio-my-bucket

Use your MinIO server alias.

Then, add a server-side encryption configuration to your bucket. For example:

mc encrypt set sse-kms minio-my-bucket <alias>/my-bucket

Use your MinIO server alias.