Minio SSE-S3加密

By studyk8s 0 Comments

MinIO使用密钥管理系统(KMS)支持SSE-S3(使用S3托管密钥的服务器端加密)

如果客户端请求SSE-S3,或启用了自动加密,则MinIO服务器会使用唯一的对象密钥对每个对象进行加密,该对象密钥受KMS管理的主密钥保护。由于开销极低,因此可以为每个应用程序和实例打开自动加密。

MinIO通过KES访问KMS,而不是直接访问KMS,每个MinIO群集均具有“自己的” KES实例。KES是一个用于高性能应用程序的无状态分布式密钥管理系统,它处理”其” MinIO群集发出的加密/解密请求,从而使KMS不必处理大量流量,KMS仅作为KES安全密钥的后台存储。

这里需要

  1. vault服务器作为中央秘钥仓库
  2. kes服务器作为连接minio和vault的中间件
  3. minio服务器

在Kubernetes安装 vault

https://github.com/hashicorp/vault-helm
HA模式
server.ha.enabled = true
server.ha.replicas = 1
server.ui.enabled = true ( port 8200 )

单机节点
server.standalone.enabled = true
HA模式需要 consul 和 存储
https://helm.releases.hashicorp.com

server.replicas = 1
vault operator init
/ $ vault operator init
Unseal Key 1: 0mQk974OWKaSVTXGQ0Uzyj2bte1QM3AaOpSpjgazf9QZ
Unseal Key 2: 8/WoBHinaV0gMK6GsRuhnZWgolHpnBj2jkfAAW2khxTY
Unseal Key 3: gTYfW8gB9B3mI9c8oBYzWqks2Lkfu5cjC+MzWgdKU7sr
Unseal Key 4: FqF8oLlXh3zgnt5+4itdf83ecfmp9fSDC2hDSl4YG6kS
Unseal Key 5: ACAwtnxeD9Wgiq4VeQmQkhQg5IEXo6AYUgVV1u+Bq2g0

Initial Root Token: s.SkECG9cBaD259MLYh1Zvx9jv

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
/ $

对key解封

export VAULT_TOKEN=s.SkECG9cBaD259MLYh1Zvx9jv
vault operator unseal 0mQk974OWKaSVTXGQ0Uzyj2bte1QM3AaOpSpjgazf9QZ
vault operator unseal 8/WoBHinaV0gMK6GsRuhnZWgolHpnBj2jkfAAW2khxTY
vault operator unseal gTYfW8gB9B3mI9c8oBYzWqks2Lkfu5cjC+MzWgdKU7sr
vault status

vault 启动完成

export VAULT_TOKEN=s.SkECG9cBaD259MLYh1Zvx9jv

启用保险柜的K / V后端

vault secrets enable kv

启用AppRole身份验证

vault auth enable approle
创建文件
minio-kes-policy.hcl
path "kv/minio/*" {
  capabilities = [ "create", "read", "delete" ]
}

------------
cat > minio-kes-policy.hcl <<EOF
path "kv/minio/*" {
  capabilities = [ "create", "read", "delete" ]
}
EOF
# vault policy write minio-key-policy ./minio-kes-policy.hcl
# vault policy list
# vault policy read minio-key-policy

创建一个新的AppRole ID并将其绑定到策略

现在,我们需要创建一个新的AppRole ID并授予该ID特定的权限。 该应用程序(即KES服务器)将通过AppRole角色ID 和机密ID 向Vault进行身份验证,并且仅允许执行特定策略授予的操作。

因此,我们首先为KES服务器创建一个新角色:

vault write auth/approle/role/kes-role token_num_uses=0  secret_id_num_uses=0  period=5m

然后,我们将策略绑定到角色:

vault write auth/approle/role/kes-role policies=minio-key-policy

最后,我们从Vault请求AppRole角色ID和秘密ID。 一,角色ID:

vault read auth/approle/role/kes-role/role-id

然后是秘密ID:

vault write -f auth/approle/role/kes-role/secret-id

Related Posts:
Previous Post

Longhorn backup
Next Post

Minio SSE-C 加密

Send a Message