minio/docs/kms/README.md

# KMS Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)

MinIO uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption is enabled, the MinIO server encrypts each object with an unique object key which is protected by a master key managed by the KMS.

## Quick Start

MinIO supports multiple KMS implementations via our [KES](https://github.com/minio/kes#kes) project. We run a KES instance at `https://play.min.io:7373` for you to experiment and quickly get started. To run MinIO with a KMS just fetch the root identity, set the following environment variables and then start your MinIO server. If you havn't installed MinIO, yet, then follow the MinIO [install instructions](https://docs.min.io/docs/minio-quickstart-guide) first.

#### 1. Fetch the root identity
As the initial step, fetch the private key and certificate of the root identity:

```sh
curl -sSL --tlsv1.2 \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'
```

#### 2. Set the MinIO-KES configuration

```sh
export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
export MINIO_KMS_KES_KEY_FILE=root.key
export MINIO_KMS_KES_CERT_FILE=root.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key
```

#### 3. Start the MinIO Server

```sh
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
minio server ~/export
```

> The KES instance at `https://play.min.io:7373` is meant to experiment and provides a way to get started quickly.
> Note that anyone can access or delete master keys at `https://play.min.io:7373`. You should run your own KES
> instance in production.

## Configuration Guides

A typical MinIO deployment that uses a KMS for SSE-S3 looks like this:
```
    ┌────────────┐
    │ ┌──────────┴─┬─────╮          ┌────────────┐
    └─┤ ┌──────────┴─┬───┴──────────┤ ┌──────────┴─┬─────────────────╮
      └─┤ ┌──────────┴─┬─────┬──────┴─┤ KES Server ├─────────────────┤
        └─┤   MinIO    ├─────╯        └────────────┘            ┌────┴────┐
          └────────────┘                                        │   KMS   │
                                                                └─────────┘
```

In a given setup, there are `n` MinIO instances talking to `m` KES servers but only `1` central KMS. The most simple setup consists of `1` MinIO server or cluster talking to `1` KMS via `1` KES server.

The main difference between various MinIO-KMS deployments is the KMS implementation. The following table helps you select the right option for your use case:

| KMS                                                                                          | Purpose                                                           |
|:---------------------------------------------------------------------------------------------|:------------------------------------------------------------------|
| [Hashicorp Vault](https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore)                | Local KMS. MinIO and KMS on-prem (**Recommended**)                |
| [AWS-KMS + SecretsManager](https://github.com/minio/kes/wiki/AWS-SecretsManager)             | Cloud KMS. MinIO in combination with a managed KMS installation   |
| [Gemalto KeySecure /Thales CipherTrust](https://github.com/minio/kes/wiki/Gemalto-KeySecure) | Local KMS. MinIO and KMS On-Premises.                 |
| [Google Cloud Platform SecretManager](https://github.com/minio/kes/wiki/GCP-SecretManager)   | Cloud KMS. MinIO in combination with a managed KMS installation | 
| [FS](https://github.com/minio/kes/wiki/Filesystem-Keystore)                                  | Local testing or development (**Not recommended for production**) |


The MinIO-KES configuration is always the same - regardless of the underlying KMS implementation. Checkout the MinIO-KES [configuration example](https://github.com/minio/kes/wiki/MinIO-Object-Storage).

### Further references

- [Run MinIO with TLS / HTTPS](https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html)
- [Tweak the KES server configuration](https://github.com/minio/kes/wiki/Configuration)
- [Run a load balancer infront of KES](https://github.com/minio/kes/wiki/TLS-Proxy)
- [Understand the KES server concepts](https://github.com/minio/kes/wiki/Concepts)

## Auto Encryption
Auto-Encryption is useful when MinIO administrator wants to ensure that all data stored on MinIO is encrypted at rest.

### Using `mc encrypt` (recommended)
MinIO automatically encrypts all objects on buckets if KMS is successfully configured and bucket encryption configuration is enabled for each bucket as shown below:
```
mc encrypt set sse-s3 myminio/bucket/
```

Verify if MinIO has `sse-s3` enabled
```
mc encrypt info myminio/bucket/
Auto encryption 'sse-s3' is enabled
```

### Using environment (deprecated)
> NOTE: The following ENV might be removed in future, you are advised to move to the previously recommended approach using `mc encrypt`. S3 gateway supports encryption at gateway layer which may  be dropped in favor of simplicity at a later time. It is advised that S3 gateway users migrate to MinIO server mode or enable encryption at REST at the backend.

MinIO automatically encrypts all objects on buckets if KMS is successfully configured and following ENV is enabled:
```
export MINIO_KMS_AUTO_ENCRYPTION=on
```

### Verify auto-encryption
> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends
> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to
> the configured KMS.

To verify auto-encryption, use the following `mc` command:

```
mc cp test.file myminio/bucket/
test.file:              5 B / 5 B  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 337 B/s 0s
```

```
mc stat myminio/bucket/test.file
Name      : test.file
...
Encrypted :
  X-Amz-Server-Side-Encryption: AES256
```

## Explore Further

- [Use `mc` with MinIO Server](https://docs.min.io/docs/minio-client-quickstart-guide)
- [Use `aws-cli` with MinIO Server](https://docs.min.io/docs/aws-cli-with-minio)
- [Use `s3cmd` with MinIO Server](https://docs.min.io/docs/s3cmd-with-minio)
- [Use `minio-go` SDK with MinIO Server](https://docs.min.io/docs/golang-client-quickstart-guide)
- [The MinIO documentation website](https://docs.min.io)
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 15:08:47 +08:00			`# KMS Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 2018-08-18 03:52:14 +08:00
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			`MinIO uses a key-management-system (KMS) to support SSE-S3. If a client requests SSE-S3, or auto-encryption is enabled, the MinIO server encrypts each object with an unique object key which is protected by a master key managed by the KMS.`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00			`## Quick Start`

update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			MinIO supports multiple KMS implementations via our [KES](https://github.com/minio/kes#kes) project. We run a KES instance at `https://play.min.io:7373` for you to experiment and quickly get started. To run MinIO with a KMS just fetch the root identity, set the following environment variables and then start your MinIO server. If you havn't installed MinIO, yet, then follow the MinIO [install instructions](https://docs.min.io/docs/minio-quickstart-guide) first.
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00
fix KMS quickstart guide layout (#9658) This commit fixes a layout issue w.r.t. the KMS Quickstart guide. The problem seems to be caused by docs server not converting the markdown into html as expected. This commit fixes this by converting the ordered list into subsections. 2020-05-21 04:55:54 +08:00			`#### 1. Fetch the root identity`
			`As the initial step, fetch the private key and certificate of the root identity:`

			```sh
			`curl -sSL --tlsv1.2 \`
			`-O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \`
			`-O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'`
			```

			`#### 2. Set the MinIO-KES configuration`

			```sh
			`export MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373`
			`export MINIO_KMS_KES_KEY_FILE=root.key`
			`export MINIO_KMS_KES_CERT_FILE=root.cert`
			`export MINIO_KMS_KES_KEY_NAME=my-minio-key`
			```

			`#### 3. Start the MinIO Server`

			```sh
			`export MINIO_ACCESS_KEY=minio`
			`export MINIO_SECRET_KEY=minio123`
			`minio server ~/export`
			```
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00
			> The KES instance at `https://play.min.io:7373` is meant to experiment and provides a way to get started quickly.
			> Note that anyone can access or delete master keys at `https://play.min.io:7373`. You should run your own KES
			`> instance in production.`

			`## Configuration Guides`

			`A typical MinIO deployment that uses a KMS for SSE-S3 looks like this:`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 15:08:47 +08:00			```
update KMS guide to work with latest KES changes (#9498) This commit updates the KMS guide to reflect the latest changes in KES. Based on internal design meetings we made some adjustments to the overall KES configuration. This commit ensures that the KMS guide contains a working KES demo-setup with Vault. 2020-05-02 03:36:30 +08:00			`┌────────────┐`
			`│ ┌──────────┴─┬─────╮ ┌────────────┐`
			`└─┤ ┌──────────┴─┬───┴──────────┤ ┌──────────┴─┬─────────────────╮`
			`└─┤ ┌──────────┴─┬─────┬──────┴─┤ KES Server ├─────────────────┤`
			`└─┤ MinIO ├─────╯ └────────────┘ ┌────┴────┐`
			`└────────────┘ │ KMS │`
			`└─────────┘`
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			```
add howto generate a master key and add master key disclaimer (#6992) This commit adds a section to the master key documentation describing how to generate a random 256 bit master key. Further this commit adds a warning that master keys are not recommended for production systems because it's (currently) not possible to replace a master key (e.g. in case of compromise). 2018-12-19 05:00:32 +08:00
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			In a given setup, there are `n` MinIO instances talking to `m` KES servers but only `1` central KMS. The most simple setup consists of `1` MinIO server or cluster talking to `1` KMS via `1` KES server.
Add KMS master key from Docker secret (#7825) 2019-07-18 03:55:26 +08:00
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			`The main difference between various MinIO-KMS deployments is the KMS implementation. The following table helps you select the right option for your use case:`
Add KMS master key from Docker secret (#7825) 2019-07-18 03:55:26 +08:00
Update KES table to include additional supported KMS providers (#10631) 2020-10-07 02:09:43 +08:00			`\| KMS \| Purpose \|`
			`\|:---------------------------------------------------------------------------------------------\|:------------------------------------------------------------------\|`
			`\| [Hashicorp Vault](https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore) \| Local KMS. MinIO and KMS on-prem (Recommended) \|`
			`\| [AWS-KMS + SecretsManager](https://github.com/minio/kes/wiki/AWS-SecretsManager) \| Cloud KMS. MinIO in combination with a managed KMS installation \|`
			`\| [Gemalto KeySecure /Thales CipherTrust](https://github.com/minio/kes/wiki/Gemalto-KeySecure) \| Local KMS. MinIO and KMS On-Premises. \|`
			`\| [Google Cloud Platform SecretManager](https://github.com/minio/kes/wiki/GCP-SecretManager) \| Cloud KMS. MinIO in combination with a managed KMS installation \|`
			`\| [FS](https://github.com/minio/kes/wiki/Filesystem-Keystore) \| Local testing or development (Not recommended for production) \|`

update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			`The MinIO-KES configuration is always the same - regardless of the underlying KMS implementation. Checkout the MinIO-KES [configuration example](https://github.com/minio/kes/wiki/MinIO-Object-Storage).`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 15:08:47 +08:00
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00			`### Further references`
Add KMS master key from Docker secret (#7825) 2019-07-18 03:55:26 +08:00
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			`- [Run MinIO with TLS / HTTPS](https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html)`
			`- [Tweak the KES server configuration](https://github.com/minio/kes/wiki/Configuration)`
			`- [Run a load balancer infront of KES](https://github.com/minio/kes/wiki/TLS-Proxy)`
			`- [Understand the KES server concepts](https://github.com/minio/kes/wiki/Concepts)`
Add KMS master key from Docker secret (#7825) 2019-07-18 03:55:26 +08:00
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00			`## Auto Encryption`
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			`Auto-Encryption is useful when MinIO administrator wants to ensure that all data stored on MinIO is encrypted at rest.`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 2018-12-15 05:35:48 +08:00
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			### Using `mc encrypt` (recommended)
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			`MinIO automatically encrypts all objects on buckets if KMS is successfully configured and bucket encryption configuration is enabled for each bucket as shown below:`
			```
Added set keyword in the command set to enable encryption on buckets (#11010) 2020-12-02 08:00:49 +08:00			`mc encrypt set sse-s3 myminio/bucket/`
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			```
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 2018-12-15 05:35:48 +08:00
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			Verify if MinIO has `sse-s3` enabled
Document vault in prod mode instead of dev mode (#7928) 2019-07-16 08:32:15 +08:00			```
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			`mc encrypt info myminio/bucket/`
			`Auto encryption 'sse-s3' is enabled`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 2018-12-15 05:35:48 +08:00			```

update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			`### Using environment (deprecated)`
add dynamic config docs (#11048) Co-authored-by: Eco <41090896+eco-minio@users.noreply.github.com> 2020-12-08 11:02:20 +08:00			> NOTE: The following ENV might be removed in future, you are advised to move to the previously recommended approach using `mc encrypt`. S3 gateway supports encryption at gateway layer which may be dropped in favor of simplicity at a later time. It is advised that S3 gateway users migrate to MinIO server mode or enable encryption at REST at the backend.
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00
			`MinIO automatically encrypts all objects on buckets if KMS is successfully configured and following ENV is enabled:`
			```
			`export MINIO_KMS_AUTO_ENCRYPTION=on`
			```
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00
update KMS docs indicating deprecation of AUTO_ENCRYPTION env 2020-09-14 07:23:18 +08:00			`### Verify auto-encryption`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 15:08:47 +08:00			`> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends`
			`> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to`
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			`> the configured KMS.`
re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 15:08:47 +08:00
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			To verify auto-encryption, use the following `mc` command:
Small corrections and example for auto-encryption (#6982) 2018-12-15 08:21:41 +08:00
Document vault in prod mode instead of dev mode (#7928) 2019-07-16 08:32:15 +08:00			```
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00			`mc cp test.file myminio/bucket/`
Small corrections and example for auto-encryption (#6982) 2018-12-15 08:21:41 +08:00			`test.file: 5 B / 5 B ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ 100.00% 337 B/s 0s`
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			```
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION 2020-09-04 03:43:45 +08:00			```
simplify the KMS guide and remove unnecessary sections (#9629) This commit simplifies the KMS configuration guide by adding a get started section that uses our KES play instance at `https://play.min.io:7373`. Further, it removes sections that we don't recommend for production anyways (MASTER_KEY). 2020-05-20 09:33:11 +08:00			`mc stat myminio/bucket/test.file`
Small corrections and example for auto-encryption (#6982) 2018-12-15 08:21:41 +08:00			`Name : test.file`
			`...`
			`Encrypted :`
			`X-Amz-Server-Side-Encryption: AES256`
			```

re-write the KMS get started guide (#8936) This commit updates the KMS getting started guide and replaces the legacy MinIO<-->Vault setup with a MinIO<-->KES<-->Vault setup. Therefore, add some architecture ASCII diagrams and provide a step-by-step guide to setup Vault, KES and MinIO such that MinIO can encrypt objects with KES + Vault. The legacy Vault guide has been moved to `./vault-legacy.md`. Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 15:08:47 +08:00			`## Explore Further`
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code. 2018-08-18 03:52:14 +08:00
Replace Minio refs in docs with MinIO and links (#7494) 2019-04-10 02:39:42 +08:00			- [Use `mc` with MinIO Server](https://docs.min.io/docs/minio-client-quickstart-guide)
			- [Use `aws-cli` with MinIO Server](https://docs.min.io/docs/aws-cli-with-minio)
			- [Use `s3cmd` with MinIO Server](https://docs.min.io/docs/s3cmd-with-minio)
			- [Use `minio-go` SDK with MinIO Server](https://docs.min.io/docs/golang-client-quickstart-guide)
			`- [The MinIO documentation website](https://docs.min.io)`