MinIO对象存储加密实践1、关于MinIO对象存储加密 1.1 服务端加密
服务端在对象落盘之前加密对象,下载对象时由服务端⾃动解密。pppd-287
MinIO⽀持的服务端加密⼜有两种具体的⽅式:
SSE-C(使⽤客户托管密钥的服务器端加密)
1.2 客户端加密
客户端加密对象,然后上传服务端。下载对象时也由客户端解密。
2、MinIO加密实践
2.1 SSE-S3加密实践
2.1.1 部署Vault
# mkdir /vault && cd /vault
# kes tool identity new --server --key vault-tls.key -- --ip "127.0.0.1" --dns localhost
2. ⽣成Vault服务配置⽂件
# cat > /vault/vault-config.json <<EOF
{
"api_addr": "127.0.0.1:8200",
"backend": {
"file": {
"path": "/vault/file"
}
},
"default_lease_ttl": "168h",
"max_lease_ttl": "720h",
"listener": {
"tcp": {
"address": "0.0.0.0:8200",
"tls_cert_file": "",
"tls_key_file": "vault-tls.key",
"tls_min_version": "tls12"
}
}
}
EOF金属卤化物灯镇流器
请注意,我们使⽤⽂件后端运⾏Vault。为了获得⾼可⽤性,您可能需要使⽤其他 后端,例如或。
3. 启动vault服务
# vault server -config /vault/vault-config.json
4. 初始化vault服务。初始化过程中输出五个unseal key和Initial Root Token,须记录下来
# cat / >> /etc/pki/tls/
# export VAULT_ADDR='127.0.0.1:8200'
# vault operator init
Unseal Key 1: 2UdRWTs2OW180j3VmdFT8etIduOeKx9qfG6Mru4gIASJ
Unseal Key 2: 51N6gWQpQ9xj6IbIJkGVdGjCURzpDcXYifomWUX278ZF
Unseal Key 3: w+pUdOSsR+awHF3ca9x0OtvQcdVhEkXiFBX26U0mpAsh
Unseal Key 4: bWXZPvccAVuqXDa5ufG5dx/5JDByRb+9W+TgwXtdMEP2
Unseal Key 5: hETyueJ4ovsDpwlwrhf8AqMgHvd56BMW26yomsrbDpNT
Initial Root Token: s.Oy3abPynrVZBvB9ixZGbVdf1
5. 解封。在使⽤vault之前,需要对vault进⾏解封,⽤任意3 个Unseal Key可解封
# vault operator unseal 2UdRWTs2OW180j3VmdFT8etIduOeKx9qfG6Mru4gIASJ
# vault operator unseal 51N6gWQpQ9xj6IbIJkGVdGjCURzpDcXYifomWUX278ZF
# vault operator unseal w+pUdOSsR+awHF3ca9x0OtvQcdVhEkXiFBX26U0mpAsh
# vault status
6. 启⽤KV密钥管理引擎
# export VAULT_TOKEN=s.Oy3abPynrVZBvB9ixZGbVdf1
# vault secrets enable kv
# vault secrets list
7. 启⽤AppRole⾝份验证
# vault auth enable approle
# vault auth list
8. 创建Policy
# cd /vault
# cat > minio-kes-policy.hcl <<EOF
path "kv/minio/*" {
capabilities = [ "create", "read", "delete" ]
}
EOF
# vault policy write minio-key-policy ./minio-kes-policy.hcl
# vault policy list
# vault policy read minio-key-policy
9. 创建⼀个新的AppRole并将其绑定到策略
# vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m # vault write auth/approle/role/kes-role policies=minio-key-policy
10. 获取AppRole Role ID和 Secret ID
# vault read auth/approle/role/kes-role/role-id
Key Value
--- -----
role_id d461eddf-db49-b261-b08a-6f7201992e33
# vault write -f auth/approle/role/kes-role/secret-id
Key Value
--- -----
secret_id 2646ee0c-8a7a-7e79-bf5a-52f1e3f203bd
secret_id_accessor ……
2.1.2 部署Kes
1. ⽣成KES 服务TLS证书
# mkdir /kes && cd /kes
# kes tool identity new --server --key kes-tls.key -- --ip "127.0.0.1" --dns localhost
2. 创建MinIO标识
连接KES服务器时,⽤户或应⽤程序必须出⽰有效的X.509证书。因此,每个MinIO集都需要⼀个X.509 TLS证书来进⾏客户端⾝份验证。包边带
**创建(⾃签名)证书**
# kes tool identity new --key=minio.key -- --time=8760h MinIO
此处MinIO是[subject name]。您可以为您的部署⽅案选择⼀个更合适的名称。
排线焊接**获取证书ID**
# kes tool identity
Identity: 672e00c31f9276ac0e98e5e9ddfe99e36d0e05d4e8a405185e5c30d9b948134b
3. 创建KES配置⽂件
# cat > kes-config.yaml << EOF
# Refer: github/minio/kes/blob/master/server-config.yaml
# The TCP address (ip:port) for the KES server to listen on.
address: 0.0.0.0:7373
tls:
key: kes-tls.key
cert:
policy:
minio:
paths:
- /v1/key/create/minio-*
- /v1/key/generate/minio-*
- /v1/key/decrypt/minio-*
identities:
-
672e00c31f9276ac0e98e5e9ddfe99e36d0e05d4e8a405185e5c30d9b948134b # identity
cache:
expiry:
any: 5m0s
unused: 20s
keystore:
vault:
endpoint: 127.0.0.1:8200 # The Vault endpoint
prefix: minio # The domain resp. prefix at Vault's K/V backend
approle:
id: "d461eddf-db49-b261-b08a-6f7201992e33" # Your AppRole Role ID
secret: "2646ee0c-8a7a-7e79-bf5a-52f1e3f203bd" # Your AppRole Secret ID
retry: 15s # Duration until the server tries to re-authenticate after connection loss.
tls:
ca: / # Since we use self-signed certificates
status:
ping: 10s
EOF
4. 启动Kes
引道结构图# kes server --config=kes-config.yaml --mlock --root=disabled --auth=off
因为是⾃签名证书,--auth=off不校验证书。
5. 创建密钥
# cat / >> /etc/pki/tls/
# export KES_CLIENT_KEY=/kes/minio.key
# export KES_CLIENT_CERT=/
# kes key create minio-key-1
6. 检查密钥
# export VAULT_TOKEN=s.Oy3abPynrVZBvB9ixZGbVdf1
# vault kv list kv/minio
# vault kv get kv/minio/minio-key-1
2.1.3 部署MinIO
1. ⽣成MinIO服务TLS证书
# cd /root/.minio/certs
# openssl req -new -x509 -days 3650 -key private.key - -subj "/C=CN/ST=GD/L=SZ/O=example/ample"
2. 启动MinIO
# export MINIO_KMS_KES_ENDPOINT=127.0.0.1:7373
# export MINIO_KMS_KES_KEY_FILE=/kes/minio.key
# export MINIO_KMS_KES_CERT_FILE=/
# export MINIO_KMS_KES_KEY_NAME=minio-key-1
# export MINIO_ACCESS_KEY=QS8W8H15JS0F6ZRN0F9S
# export MINIO_SECRET_KEY=IRDCiiHxhVd5eDbkcVRh77R00VdS3NTgx5J7JXg4
# minio server /data --address :443 --certs-dir /root/.minio/certs
2.1.4 加密验证
1. 设置存储桶⾃动加密属性,上传到该存储桶的所有对象都将⾃动加密。
# mc mb myminio/bucket1
# mc encrypt set sse-s3 myminio/bucket1
Auto encryption configuration has been set successfully for myminio/bucket1
# mc encrypt info myminio/bucket1
Auto encryption 'sse-s3' is enabled
2. 上传测试⽂件到存储桶。
# cat > << EOF
This is a test!
EOF
# mc myminio/bucket1
3. 检查存储桶中对象状态,已加密
# mc stat myminio/
Name :
……
Encrypted :
X-Amz-Server-Side-Encryption: AES256
4. 下载测试⽂件,⽂件已⾃动解密
# mc cp myminio/ /tmp
# cat /
This is a test!
2.2 SSE-C加密实践
Minio⽀持采⽤客户端提供的密钥(SSE-C)进⾏服务端加密。
1. 创建存储桶
# mc mb myminio/bucket2
# mc encrypt info myminio/bucket2
地暖集分水器mc: <ERROR> Unable to get encryption info. The server side encryption configuration was not found.
2. 上传测试⽂件,提供SSE-C密钥
# mc cp --encrypt-key "myminio/bucket2=MzJieXRlc2xvbmdzZWNyZWFiY2RlZmcJZ2l2ZW5uMjE=" / myminio/bucket2
/: 16 B / 16 B ┃▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓┃ 2.32 KiB/s 0s
3. 下载测试⽂件,提供正确的SSE-C密钥
# mc cp --encrypt-key "myminio/bucket2=MzJieXRlc2xvbmdzZWNyZWFiY2RlZmcJZ2l2ZW5uMjF=" myminio/ /tmp
.
..16.2.106/: 16 B / 16 B ┃▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓┃ 2.27 KiB/s 0s
4. 下载测试⽂件,提供错误的SSE-C密钥
# mc cp --encrypt-key "myminio/bucket2=wrongpassword" myminio/ /tmp
mc: <ERROR> Unable to validate source \`myminio/\`.
2.3 客户端加密实践
s3cmd⽀持客户端加密,mc貌似不具备这个功能。
# s3cmd put –h
……
-e, --encrypt Encrypt files before uploading to S3.
1. 设置s3cmd加密密码
# vi /root/.s3cfg
…
…
gpg_command = /usr/bin/gpg
gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s **gpg_passphrase = `123456`**
……
从配置⽂件中可以看到,s3cmd其实是调⽤了/usr/bin/gpg加密与解密对象
2. 上传测试⽂件
# s3cmd -e s3://bucket3
upload: '/tmp/tmpfile-NInvNVIC2zPu8wfqFaPv' -> 's3://' [1 of 1]
59 of 59 100% in 0s 1338.84 B/s done
3. 下载测试⽂件
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议