vm broker ‐ kes ‐ azure

Create a free account with Azure and navigate to https://portal.azure.com/#home

Create a vault with Permission Model = Vault access policy (minio-vault)

https://learn.microsoft.com/en-us/azure/key-vault/general/quick-create-portal

Navigate to App Registrations > New Registration

Name app

kes-azure

Save the details

Application (client) ID: 0bfb043e-8b07-4d45-8699-0d08ec6fe272
Object ID: afd69acd-fe34-403f-a96a-2e8be5292646
Directory (tenant) ID: 32775425-58d7-44cd-b553-fbf2419858b0

Create a client secret

Navigate to Certificates & secrets > New client secret Choose Expiry 12 months then click Add Save the details

Value: QtE8Q~G8le~ixTO4ovynfO8r1yQyz4kmFkvI7cSH
Secret ID: 19124252-1d8b-4f0f-ac0a-20096b4d134b

Navigate to overview

Note that the secret is now populated i.e. Client credentials: 0 certificate, 1 secret Therefore,

The application / client ID: 0bfb043e-8b07-4d45-8699-0d08ec6fe272
The directory / tenant ID. 32775425-58d7-44cd-b553-fbf2419858b0
The value of the newly created secret value. QtE8Q~G8le~ixTO4ovynfO8r1yQyz4kmFkvI7cSH

Under Vault Services > Key Vault, navigate to the vault, then choose Access Policies

Create KeyVault Policy with the secret permissions: get, list, set, delete, purge. Click Next

Assign Policy to Principal. Click Next then Save

Observe Key Vault

On kes-server

ssh -p 20070 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"

In kes config_azure.yml modify keystore

address: 0.0.0.0:9073 # Listen on all network interfaces on port 9073

admin:
  identity: disabled
   
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
   
policy:
  minio: 
    allow:
    - /v1/key/create/minio-key*
    - /v1/key/generate/minio-key*
    - /v1/key/decrypt/minio-key*
    - /v1/key/list/*
    - /v1/key/delete/*
    identities:
    - f8735a5493fd877797a196509822cd676d7f65a6f72bca975cb6d79d2f19a634 # Use the identity of your client.crt
   
keystore:
  azure:
    keyvault:
      endpoint: "https://vault-minio.vault.azure.net"    # Use your KeyVault instance endpoint. (Key Vault > Properties > Vault URI)
      credentials:
        tenant_id: "32775425-58d7-44cd-b553-fbf2419858b0" # Directory (tenant) ID
        client_id: "0bfb043e-8b07-4d45-8699-0d08ec6fe272" # Application (client) ID
        client_secret: "QtE8Q~G8le~ixTO4ovynfO8r1yQyz4kmFkvI7cSH"  # Client Secret Value

Start KES Server

./kes server --config config-azure.yml

Connect to kes-minio

ssh -p 20044 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
loginctl enable-linger ubuntu 

Set MINIO_KMS_KES_ENDPOINT

export MINIO_KMS_KES_ENDPOINT=https://kes-server.lab.min.dev:9073

Set MinIO Client Credentials. Copy from kes-server

cat client.crt
vi client.crt
cat client.key
vi client.key

export MINIO_KMS_KES_CERT_FILE=client.crt
export MINIO_KMS_KES_KEY_FILE=client.key

Set MinIO Default Key

export MINIO_KMS_KES_KEY_NAME=minio-key

Trust the KES Server Certificate. Copy from kes-server

cat public.crt
vi public.crt

export MINIO_KMS_KES_CAPATH=public.crt

Start MinIO Server

Make certs

mkdir -p $HOME/.minio/certs
cd $HOME/.minio/certs
wget https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64
chmod +x certgen-linux-amd64
./certgen-linux-amd64 -host "127.0.0.1"
cd $HOME 

Install and run minio

wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
MINIO_KMS_KES_ENDPOINT=https://10.214.226.181:9073 MINIO_KMS_KES_CAPATH=public.crt MINIO_KMS_KES_CERT_FILE=client.crt MINIO_KMS_KES_KEY_FILE=client.key MINIO_KMS_KES_KEY_NAME=minio-key CI=on ./minio server /tmp/data --certs-dir $HOME/.minio/certs --address :9000 --console-address :9090

On minio instance https://kes-minio.lab.min.dev:9090/login, create a new bucket and key

Test encryption

Note API logs are available in Azure