vm broker ‐ kes ‐ hashicorp - allanrogerr/public GitHub Wiki

1.- Create kes-vault, kes-server and kes-minio on same node to share the same network, under lab.min.dev domain, with Enable TLS and SSL Required

2.- Connect to kes-server

ssh -p 20070 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
loginctl enable-linger ubuntu 

Install and validate kes

curl -sSL --tlsv1.2 'https://github.com/minio/kes/releases/latest/download/kes-linux-amd64' -o ./kes
chmod +x ./kes
./kes --version

Output

Version    2023-10-27T22-05-35Z   commit=bc66190159ecda31db407eead7baa6bff356c9b3
Runtime    go1.21.1 linux/amd64   compiler=gc
License    AGPLv3                 https://www.gnu.org/licenses/agpl-3.0.html
Copyright  2015-2023 MinIO Inc.   https://min.io

3.- Connect to kes-vault

ssh -p 20021 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
loginctl enable-linger ubuntu 

Install Vault

loginctl enable-linger ubuntu 
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

4.- Return to kes-server tab

Generate Vault Private Key & Certificate

./kes identity new --key vault.key --cert vault.crt --ip 10.214.226.171 kes-vault

Output

Your API key:

   kes:v1:AFd/aAF+c6pC8dTzWFLMwH3x8SAiH08B0TI4lLLfdG2u

This is the only time it is shown. Keep it secret and secure!

Your Identity:

   9ba6d9bf553caf1351b21cf6f4ceb2976e32fb907aa3a76e901373bcdb7d9b6b

The identity is not a secret. It can be shared. Any peer
needs this identity in order to verify your API key.

The generated TLS private key is stored at: vault.key
The generated TLS certificate is stored at: vault.crt

The identity can be computed again via:

    kes identity of kes:v1:AFd/aAF+c6pC8dTzWFLMwH3x8SAiH08B0TI4lLLfdG2u
    kes identity of vault.crt

5.- Return to kes-vault tab

Copy vault.crt and vault.key from kes-server to kes-vault

cat vault.crt # on kes-server
vi vault.crt # on kes-vault

cat vault.key # on kes-server
vi vault.key # on kes-vault

Configure Vault Server

vi vault-config.json

# starts a single Vault server instance on port 9020
{
  "api_addr": "https://127.0.0.1:9020",
  "backend": {
    "file": {
      "path": "vault/file"
    }
  },

  "default_lease_ttl": "168h",
  "max_lease_ttl": "720h",

  "listener": {
    "tcp": {
      "address": "0.0.0.0:9020",
      "tls_cert_file": "vault.crt",
      "tls_key_file": "vault.key",
      "tls_min_version": "tls12"
    }
  },
  "disable_mlock": true
}

Start vault server

sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
vault server -config vault-config.json > out.log &

Output

2023-11-07T18:39:51.769Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-11-07T18:39:51.770Z [INFO]  incrementing seal generation: generation=1
2023-11-07T18:39:51.772Z [INFO]  core: Initializing version history cache for core
2023-11-07T18:39:51.772Z [INFO]  events: Starting event system

6.- In new terminal session to kes-vault

ssh -p 20021 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"

Set VAULT_ADDR endpoint

export VAULT_ADDR='https://127.0.0.1:9020'
export VAULT_SKIP_VERIFY=true

Initialize Vault Server

vault operator init

Output

Unseal Key 1: ...
Unseal Key 2: ...
Unseal Key 3: ...
Unseal Key 4: ...
Unseal Key 5: ...

Initial Root Token: hvs....

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Set VAULT_TOKEN

export VAULT_TOKEN=hvs....

Unseal Vault Server

vault status
vault operator unseal ...
vault operator unseal ...
vault operator unseal ...
vault status

Enable K/V Backend

vault secrets enable -version=2 kv

Output

Success! Enabled the kv secrets engine at: kv/

Create Vault Policy

vi kes-policy.hcl

path "kv/data/*" {
   capabilities = [ "create", "read" ]
}
path "kv/metadata/*" {
   capabilities = [ "list", "delete" ]       
}

Then,

vault policy write kes-policy kes-policy.hcl

Output

Success! Uploaded policy: kes-policy

Enable AppRole Authentication

vault auth enable approle

Output

Success! Enabled approle auth method at: approle/

Create KES Role

vault write auth/approle/role/kes-server token_num_uses=0  secret_id_num_uses=0  period=5m

Output

Success! Data written to: auth/approle/role/kes-server

Bind Policy to Role

vault write auth/approle/role/kes-server policies=kes-policy

Output

Success! Data written to: auth/approle/role/kes-server

Generate AppRole ID

vault read auth/approle/role/kes-server/role-id 

Output

Key        Value
---        -----
role_id    079cc3a0-3051-f365-dac7-59c52413621f

Generate AppRole Secret

vault write -f auth/approle/role/kes-server/secret-id 

Output

Key                   Value
---                   -----
secret_id             eb7d9f02-4ff0-dbe6-cacf-456603886797
secret_id_accessor    98303063-c7bc-0582-4507-ca0576538b4a
secret_id_num_uses    0
secret_id_ttl         0s

7.- In new terminal session to kes-server

ssh -p 20070 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"

Generate KES Server Private Key & Certificate

./kes identity new --key private.key --cert public.crt --ip "10.214.226.20" kes-server

Output

Your API key:

   kes:v1:AGFxmnzLyfodDMXU5w1Nrtc7jgPXiwhBaR8fvKyyBy03

This is the only time it is shown. Keep it secret and secure!

Your Identity:

   8ed40b0a19a2cc438ce472d163cd106b583363b1e2820011172665583611f592

The identity is not a secret. It can be shared. Any peer
needs this identity in order to verify your API key.

The generated TLS private key is stored at: private.key
The generated TLS certificate is stored at: public.crt

The identity can be computed again via:

    kes identity of kes:v1:AGFxmnzLyfodDMXU5w1Nrtc7jgPXiwhBaR8fvKyyBy03
    kes identity of public.crt

Generate Client Credentials

./kes identity new --key=client.key --cert=client.crt minio

Output

Your API key:

   kes:v1:ACAIYfVuDywN4O3bsMaaZCXdVjaVe283XYBab0k01pP0

This is the only time it is shown. Keep it secret and secure!

Your Identity:

   83dbfcdba05cb3256eae72f5217ac4cbc6cf866f7a80927c1981901af6d9882c

The identity is not a secret. It can be shared. Any peer
needs this identity in order to verify your API key.

The generated TLS private key is stored at: client.key
The generated TLS certificate is stored at: client.crt

The identity can be computed again via:

    kes identity of kes:v1:ACAIYfVuDywN4O3bsMaaZCXdVjaVe283XYBab0k01pP0
    kes identity of client.crt

Configure KES Server

vi config.yml

address: 0.0.0.0:9073 # Listen on all network interfaces on port 9073

admin:
  identity: disabled  # We disable the admin identity since we don't need it in this guide 
   
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
   
policy:
  minio: 
    allow:
    - /v1/key/create/minio-key
    - /v1/key/generate/minio-key
    - /v1/key/decrypt/minio-key
    - /v1/key/list/*
    - /v1/key/delete/minio-key
    identities:
    - 83dbfcdba05cb3256eae72f5217ac4cbc6cf866f7a80927c1981901af6d9882c # Use the identity of your client.crt
   
keystore:
   vault:
     endpoint: https://10.214.226.171:9020
     version:  v2 # The K/V engine version - either "v1" or "v2".
     approle:
       id:     "079cc3a0-3051-f365-dac7-59c52413621f" # Your AppRole ID
       secret: "eb7d9f02-4ff0-dbe6-cacf-456603886797" # Your AppRole Secret
       retry:  15s
     status:
       ping: 10s
     tls:
       ca: vault.crt # Manually trust the vault certificate since we use self-signed certificates

Start KES Server

./kes server --config config.yml --auth off --addr :9073 > out.log &
tail -f out.log

8.- Connect to kes-minio

ssh -p 20044 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
loginctl enable-linger ubuntu 

Set MINIO_KMS_KES_ENDPOINT

export MINIO_KMS_KES_ENDPOINT=https://10.214.226.20:9073

Set MinIO Client Credentials. Copy from kes-server

cat client.crt
vi client.crt
cat client.key
vi client.key

export MINIO_KMS_KES_CERT_FILE=client.crt
export MINIO_KMS_KES_KEY_FILE=client.key

Set MinIO Default Key

export MINIO_KMS_KES_KEY_NAME=minio-key

Trust the KES Server Certificate. Copy from kes-server

cat public.crt
vi public.crt

export MINIO_KMS_KES_CAPATH=public.crt

Start MinIO Server

Make certs

mkdir -p $HOME/.minio/certs
cd $HOME/.minio/certs
wget https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64
chmod +x certgen-linux-amd64
./certgen-linux-amd64 -host "127.0.0.1"
cd $HOME 

Install and run minio

wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
MINIO_KMS_KES_KEY_NAME=minio-key MINIO_KMS_KES_CAPATH=public.crt MINIO_KMS_KES_CERT_FILE=client.crt MINIO_KMS_KES_KEY_FILE=client.key CI=on ./minio server /tmp/data --certs-dir $HOME/.minio/certs --address :9000 --console-address :9090

Access minio console - https://kes-minio.lab.min.dev:9090

In UI - create a bucket, then select the default key (minio-key)

Observe Encryption: Enabled in the Bucket Summary

Upload files and the metadata referering to encryption