-
Notifications
You must be signed in to change notification settings - Fork 0
Install stateful KES
Cesar Celis Hernandez edited this page Oct 4, 2022
·
5 revisions
Install stateful KES
https://gist.github.com/aead/1b1a2515d2c80baaddf87eaf962fcb15
- Window1: Create a persistent directory for KES and its configuration file:
rm -rf ~/kes
mkdir ~/kes
cd ~/kes
touch init.yml
- Window1: Create identities:
- Create a sys-admin identity:
- Create a admin identity for the MinIO enclave
- Create an identity for the MinIO pods
- Create KES server private key / certificate
kes identity new --key sys-admin.key --cert sys-admin.crt kes-sys-admin
kes identity new --key minio-admin.key --cert minio-admin.crt minio-admin
kes identity new --key minio.key --cert minio.crt minio
kes identity new --ip "127.0.0.1" localhost
- Window1: Create KES unseal key:
sed -i '' '/KES_UNSEAL_KEY/d' ~/.bash_profile # delete the env var if it exist
export KES_UNSEAL_KEY=$(cat /dev/urandom | head -c 32 | base64)
echo "export KES_UNSEAL_KEY=${KES_UNSEAL_KEY}" >> ~/.bash_profile # Save it so you can use this value in another window.
- Window1: Edit KES init configuration
echo "address: 0.0.0.0:7373" > ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "tls:" >> ~/kes/init.yml
echo " key: private.key" >> ~/kes/init.yml
echo " cert: public.crt" >> ~/kes/init.yml
echo " client:" >> ~/kes/init.yml
echo " verify_cert: false" >> ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "system:" >> ~/kes/init.yml
echo " admin:" >> ~/kes/init.yml
echo " identity: $(kes identity of sys-admin.crt)" >> ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "unseal:" >> ~/kes/init.yml
echo " environment:" >> ~/kes/init.yml
echo " name: KES_UNSEAL_KEY" >> ~/kes/init.yml
echo "" >> ~/kes/init.yml
echo "enclave:" >> ~/kes/init.yml
echo " default:" >> ~/kes/init.yml
echo " admin:" >> ~/kes/init.yml
echo " identity: $(kes identity of minio-admin.crt)" >> ~/kes/init.yml
echo " policy:" >> ~/kes/init.yml
echo " minio:" >> ~/kes/init.yml
echo " allow:" >> ~/kes/init.yml
echo " - /v1/api" >> ~/kes/init.yml
echo " - /v1/log/audit" >> ~/kes/init.yml
echo " - /v1/log/error" >> ~/kes/init.yml
echo " - /v1/key/create/*" >> ~/kes/init.yml
echo " - /v1/key/generate/*" >> ~/kes/init.yml
echo " - /v1/key/decrypt/*" >> ~/kes/init.yml
echo " - /v1/key/bulk/decrypt/*" >> ~/kes/init.yml
- Window1: Initialize KES deployment
cd ~/kes # where init.yml is saved
kes init --config init.yml ~/kes/data
- Window1: Start KES server
kes server ~/kes/data
- Window2: Assign MinIO identity to MinIO policy:
# export KES_UNSEAL_KEY=<PUT-SAME-VALUE-AS-ABOVE-IF-ON-NEW-WINDOW> # No need to call this, it is in the .bash_profile already
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_KEY=minio-admin.key
export KES_CLIENT_CERT=minio-admin.crt
kes policy assign -k minio $(kes identity of minio.crt)
- Window2: MinIO Server Setup
https://github.com/minio/kes/wiki/MinIO-Object-Storage#minio-server-setup
- Window2: Clean previous config to start fresh:
cd /Volumes/data1
rm -rf .minio.sys/
cd /Volumes/data2
rm -rf .minio.sys/
cd /Volumes/data3
rm -rf .minio.sys/
cd /Volumes/data4
rm -rf .minio.sys/
cd ~/kes # back to original directory
export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373 # Set MINIO_KMS_KES_ENDPOINT
export MINIO_KMS_KES_CERT_FILE=minio.crt # Set MinIO Client Credentials
export MINIO_KMS_KES_KEY_FILE=minio.key # Set MinIO Client Credentials
export MINIO_KMS_KES_KEY_NAME=minio-default-key # Set MinIO Default Key
export MINIO_KMS_KES_CAPATH=public.crt # Trust the KES Server Certificate
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
minio server /Volumes/data{1...4} --address :9000 --console-address :9001
- Window3: Encrypt a bucket
To be done...