Add KMS master key from Docker secret (#7825)

2019-07-17 21:55:26 +02:00 · 2019-07-17 21:55:26 +02:00 · ea66a52ed1
parent 55dd017e62
commit ea66a52ed1
5 changed files with 40 additions and 4 deletions
--- a/3
+++ b/3
@ -16,7 +16,8 @@ FROM alpine:3.9

 ENV MINIO_UPDATE off
 ENV MINIO_ACCESS_KEY_FILE=access_key \
-    MINIO_SECRET_KEY_FILE=secret_key
+    MINIO_SECRET_KEY_FILE=secret_key \
+    MINIO_SSE_MASTER_KEY_FILE=sse_master_key

 EXPOSE 9000

--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -7,7 +7,8 @@ COPY minio /usr/bin/

 ENV MINIO_UPDATE off
 ENV MINIO_ACCESS_KEY_FILE=access_key \
-    MINIO_SECRET_KEY_FILE=secret_key
+    MINIO_SECRET_KEY_FILE=secret_key \
+    MINIO_SSE_MASTER_KEY_FILE=sse_master_key

 RUN \
     apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \
--- a/Dockerfile.release
+++ b/Dockerfile.release
@ -18,7 +18,8 @@ COPY dockerscripts/docker-entrypoint.sh /usr/bin/

 ENV MINIO_UPDATE off
 ENV MINIO_ACCESS_KEY_FILE=access_key \
-    MINIO_SECRET_KEY_FILE=secret_key
+    MINIO_SECRET_KEY_FILE=secret_key \
+    MINIO_SSE_MASTER_KEY_FILE=sse_master_key

 RUN \
     apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \
--- a/dockerscripts/docker-entrypoint.sh
+++ b/dockerscripts/docker-entrypoint.sh
@ -39,6 +39,17 @@ docker_secrets_env() {
    fi
 }

+## Set SSE_MASTER_KEY from docker secrets if provided
+docker_sse_encryption_env() {
+    SSE_MASTER_KEY_FILE="/run/secrets/$MINIO_SSE_MASTER_KEY_FILE"
+
+    if [ -f "$SSE_MASTER_KEY_FILE" ]; then
+        MINIO_SSE_MASTER_KEY="$(cat "$SSE_MASTER_KEY_FILE")"
+        export MINIO_SSE_MASTER_KEY
+
+    fi
+}
+
 # su-exec to requested user, if service cannot run exec will fail.
 docker_switch_user() {
    if [ -z "${MINIO_USERNAME}" ] || [ -z "${MINIO_GROUPNAME}" ]; then
@ -55,5 +66,8 @@ docker_switch_user() {
 ## Set access env from secrets if necessary.
 docker_secrets_env

+## Set sse encryption from secrets if necessary.
+docker_sse_encryption_env
+
 ## Switch to user if applicable.
 docker_switch_user "$@"
--- a/docs/kms/README.md
+++ b/docs/kms/README.md
@ -12,7 +12,7 @@ MinIO supports two different KMS concepts:
   by enabling or disabling the corresponding master keys on demand.

 - Direct KMS master keys:
-   MinIO can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY`.
+   MinIO can also be configured to directly use a master key specified by the environment variable `MINIO_SSE_MASTER_KEY` or with a docker secret key.
   Direct master keys are useful if the storage backend is not on the same machine as the MinIO server, e.g.,
   if network drives or MinIO gateway is used and an external KMS would cause too much management overhead.

@ -215,6 +215,8 @@ minio gateway s3

 #### 2.2 Specify a master key

+**2.2.1 KMS master key from environment variables**
+
 A KMS master key consists of a master-key ID (CMK) and the 256 bit master key encoded as HEX value separated by a `:`.
 A KMS master key can be specified directly using:

@ -228,6 +230,23 @@ Please use your own master key. A random master key can be generated using e.g.
 head -c 32 /dev/urandom | xxd -c 32 -ps
 ```

+**2.2.2 KMS master key from docker secret**
+
+Alternatively, you may pass a master key as a [Docker secret](https://docs.docker.com/engine/swarm/secrets/).
+
+```bash
+echo "my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574" | docker secret create sse_master_key
+```
+
+Obviously, do not use this demo key for anything real!
+
+To use another secret name, follow the instructions above and replace sse_master_key with your custom names (e.g. my_sse_master_key).
+Then, set the MINIO_SSE_MASTER_KEY_FILE environment variable to your secret name:
+
+```bash
+export MINIO_SSE_MASTER_KEY_FILE=my_sse_master_key
+```
+
 ### 3. Test your setup
 To test this setup, start minio server with environment variables set in Step 3, and server is ready to handle SSE-S3 requests.