Skip to content

Instantly share code, notes, and snippets.

@aead

aead/minio-kms-setup.md

Last active April 1, 2024 20:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aead/eb1ff86b7b1d5bdb493bf200390714a7 to your computer and use it in GitHub Desktop.
Save aead/eb1ff86b7b1d5bdb493bf200390714a7 to your computer and use it in GitHub Desktop.
Download ZIP
MinIO KMS Setup
Raw
minio-kms-setup.md

1. Download MinIO KMS binary

curl -sSL -o ./minkms https://dl.min.io/enterprise/minkms/release/linux-amd64/minkms

Make the MinKMS binary executable:

chmod +x ./minkms

2. Set the MinIO license env. var

export MINIO_LICENSE=<your-license>

3. Generate a new software HSM key:

./minkms --soft-hsm
╭─────────────────────────────────────────────────────────────────────────────╮
│                                                                             │
│  Your software HSM key:                                                     │
│                                                                             │
│     hsm:aes256:PuKzChdhTmMcYqfbB+CpR7g2aRHbBO7uaMXdqCJmW40=                 │
│                                                                             │
│  This is the only time it is shown. Keep it secret and secure!              │
│                                                                             │
│  The HSM protects your KMS cluster as unseal mechanism by decrypting the    │
│  internal root encryption key ring.                                         │
│  Please store it at a secure location. For example, your password manager.  │
│  Without your HSM key you cannot decrypt any data within your KMS cluster.  │
│                                                                             │
╰─────────────────────────────────────────────────────────────────────────────╯

4. Start the MinKMS server

Set the HSM key and start the server:

export MINIO_KMS_HSM_KEY=hsm:aes256:PuKzChdhTmMcYqfbB+CpR7g2aRHbBO7uaMXdqCJmW40=

./minkms server /tmp/kms0
Version        2024-03-26T17-52-38Z commit=2c97037a83ea6513516208913dd03159a71e80e7
HSM            hsm:minio:soft
Cluster        ID      1f720088-db10-4e28-8927-3bbad1eff6d8
               Node 0: 192.168.188.110:7373 ⚫

Documentation  Web: https://min.io/docs/kms/
               CLI: $ minkms help

Endpoint       https://192.168.188.110:7373
API Key        k1:XyTL0XrjcoTYxPbiWQpxA_HOc8PJWhgRU-TGqTRszmI

=> Server is up and running...

Multi-node Clusters

By default, a MinKMS cluster uses the TLS certificate in ~/.minkms/certs. If there is none, the MinKMS server auto. generates a self-signed certificate. A single-node KMS cluster can be expanded via minkms add. To do so, setup another node with the same MINIO_KMS_HSM_KEY and join both nodes via minkms add.

For example:

Node 0: https://10.1.2.1:7373
Node 1: https://10.1.2.2:7373

Join Node 0 and Node 1 via:

export MINIO_KMS_SERVER=10.1.2.1:7373
export MINIO_KMS_API_KEY=<your-api-key>

minkms add 10.1.2.2

On success, minkms ls should list two nodes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment