Install stateful KES - cniackz/public GitHub Wiki

Objective:

Install stateful KES

Inspired from:

• https://gist.github.com/aead/1b1a2515d2c80baaddf87eaf962fcb15
• https://github.com/minio/kes/wiki/Getting-Started
• https://github.com/minio/kes/wiki/MinIO-Object-Storage#minio-server-setup

Steps:

• Window1: Create a persistent directory for KES and its configuration file:

rm -rf ~/kes
mkdir ~/kes
cd ~/kes
touch init.yml

• Window1: Create identities:
  • Create a sys-admin identity:
  • Create a admin identity for the MinIO enclave
  • Create an identity for the MinIO pods
  • Create KES server private key / certificate

kes identity new --key sys-admin.key --cert sys-admin.crt kes-sys-admin
kes identity new --key minio-admin.key --cert minio-admin.crt minio-admin
kes identity new --key minio.key --cert minio.crt minio
kes identity new --ip "127.0.0.1" localhost

• Window1: Create KES unseal key:

sed -i '' '/KES_UNSEAL_KEY/d' ~/.bash_profile # delete the env var if it exist
export KES_UNSEAL_KEY=$(cat /dev/urandom | head -c 32 | base64)
echo "export KES_UNSEAL_KEY=${KES_UNSEAL_KEY}" >> ~/.bash_profile # Save it so you can use this value in another window.

• Window1: Edit KES init configuration

echo "address: 0.0.0.0:7373" > ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "tls:" >> ~/kes/init.yml
echo "  key: private.key" >> ~/kes/init.yml
echo "  cert: public.crt" >> ~/kes/init.yml
echo "  client:" >> ~/kes/init.yml
echo "    verify_cert: false" >> ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "system:" >> ~/kes/init.yml
echo "  admin:" >> ~/kes/init.yml
echo "    identity: $(kes identity of sys-admin.crt)" >> ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "unseal:" >> ~/kes/init.yml
echo "  environment:" >> ~/kes/init.yml
echo "    name: KES_UNSEAL_KEY" >> ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "enclave:" >> ~/kes/init.yml
echo "  default:" >> ~/kes/init.yml
echo "    admin:" >> ~/kes/init.yml
echo "      identity: $(kes identity of minio-admin.crt)" >> ~/kes/init.yml
echo "    policy:" >> ~/kes/init.yml
echo "      minio:" >> ~/kes/init.yml
echo "        allow:" >> ~/kes/init.yml
echo "        - /v1/api" >> ~/kes/init.yml
echo "        - /v1/log/audit" >> ~/kes/init.yml
echo "        - /v1/log/error" >> ~/kes/init.yml
echo "        - /v1/key/create/*" >> ~/kes/init.yml
echo "        - /v1/key/generate/*" >> ~/kes/init.yml
echo "        - /v1/key/decrypt/*" >> ~/kes/init.yml
echo "        - /v1/key/bulk/decrypt/*" >> ~/kes/init.yml

• Window1: Initialize KES deployment

cd ~/kes # where init.yml is saved
kes init --config init.yml ~/kes/data

• Window1: Start KES server

kes server ~/kes/data

• Window2: Assign MinIO identity to MinIO policy:

# export KES_UNSEAL_KEY=<PUT-SAME-VALUE-AS-ABOVE-IF-ON-NEW-WINDOW> # No need to call this, it is in the .bash_profile already
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=minio-admin.key
export KES_CLIENT_CERT=minio-admin.crt
kes policy assign -k minio $(kes identity of minio.crt)

• Window2: MinIO Server Setup

https://github.com/minio/kes/wiki/MinIO-Object-Storage#minio-server-setup

• Window2: Clean previous config to start fresh:

cd /Volumes/data1
rm -rf .minio.sys/

cd /Volumes/data2
rm -rf .minio.sys/

cd /Volumes/data3
rm -rf .minio.sys/

cd /Volumes/data4
rm -rf .minio.sys/

cd ~/kes # back to original directory
export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373 # Set MINIO_KMS_KES_ENDPOINT
export MINIO_KMS_KES_CERT_FILE=minio.crt # Set MinIO Client Credentials
export MINIO_KMS_KES_KEY_FILE=minio.key # Set MinIO Client Credentials
export MINIO_KMS_KES_KEY_NAME=minio-default-key # Set MinIO Default Key
export MINIO_KMS_KES_CAPATH=public.crt # Trust the KES Server Certificate
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
minio server /Volumes/data{1...4} --address :9000 --console-address :9001

• Window3: Encrypt a bucket

mc alias set myminio http://localhost:9000 minio minio123 # create alias
mc rb myminio/my-bucket --force # remove previous bucket to start fresh
mc mb myminio/my-bucket # create new bucket
mc admin kms key create myminio minio-my-bucket # create key
mc encrypt set sse-kms minio-my-bucket myminio/my-bucket # encrypt bucket

Result:

Cesars-MacBook-Pro:kes cniackz$ mc admin kms key create myminio minio-my-bucket
Created master key `minio-my-bucket` successfully
Cesars-MacBook-Pro:kes cniackz$ mc encrypt set sse-kms minio-my-bucket myminio/my-bucket
Auto encryption configuration has been set successfully for myminio/my-bucket

• Tested: Tue Oct 4 2022 3:03 PM <--- PASS