欢迎来到即将发布的 MinIO 文档版本! 此页面上的内容正在积极开发中 可能随时更改。 如果找不到您要找的内容,请查看我们的 历史文档。 感谢您的耐心等待。 我们期待您贡献自己强大的力量,帮助更多的中国技术开发者![翻译]

Server-Side Encryption with Client-Managed Keys (SSE-C)

The procedure on this page configures and enables Server-Side Encryption with Client-Managed Keys (SSE-C). MinIO SSE-C supports client-driven encryption of objects before writing the object to disk. Clients must specify the correct key to decrypt objects for read operations.

MinIO SSE-C is functionally compatible with Amazon Server-Side Encryption with Customer-Provided Keys.

Requirements

MinIO SSE-C requires the client to perform all key creation and storage operations.

Install and Configure mc with Access to the MinIO Cluster

This procedure uses mc for performing operations on the source MinIO deployment. Install mc on a machine with network access to the source deployment. See the mc Installation Quickstart for instructions on downloading and installing mc.

SSE-C Key Requirements

The SSE-C key must be a 256-bit base64-encoded string. The client application is responsible for generation and storage of the encryption key. MinIO does not store SSE-C encryption keys and cannot decrypt SSE-C encrypted objects without the client-managed key.

Considerations

SSE-C is Incompatible with Bucket Replication

SSE-C encrypted objects are not compatible with MinIO bucket replication. Use SSE-S3 to perform replication-compatible object encryption.

SSE-C Overrides SSE-S3

Encrypting an object using SSE-C prevents MinIO from applying SSE-S3 encryption to that object.

Procedure

1) Generate the Encryption Key

Generate the 256-bit base64-encoded string for use as the encryption key.

The following example generates a string that meets the encryption key requirements. The resulting string is appropriate for non-production environments:

cat /dev/urandom | head -c 32 | base64 -

Defer to your organizations requirements for generating cryptographically secure encryption keys.

Copy the encryption key for use in the next step.

2) Encrypt an Object using SSE-C

MinIO supports the following AWS S3 headers for specifying SSE-C encryption:

  • X-Amz-Server-Side-Encryption-Customer-Algorithm set to AES256.

  • X-Amz-Server-Side-Encryption-Customer-Key set to the encryption key value.

  • X-Amz-Server-Side-Encryption-Customer-Key-MD5 to the 128-bit MD5 digest of the encryption key.

The MinIO mc commandline tool S3-compatible SDKs include specific syntax for setting headers. Certain mc commands like mc cp include specific arguments for enabling SSE-S3 encryption:

mc cp ~/data/mydata.json ALIAS/BUCKET/mydata.json \
   --encrypt-key "ALIAS/BUCKET/=c2VjcmV0ZW5jcnlwdGlvbmtleWNoYW5nZW1lMTIzNAo="
  • Replace ALIAS with the alias of the MinIO deployment on which you want to write the SSE-C encrypted object.

  • Replace BUCKET with the full path to the bucket or bucket prefix to which you want to write the SSE-C encrypted object.

3) Copy an SSE-C Encrypted Object

MinIO supports the following AWS S3 headers for copying an SSE-C encrypted object to another S3-compatible service:

  • X-Amz-Copy-Source-Server-Side-Encryption-Algorithm set to AES256

  • X-Amz-Copy-Source-Server-Side-Encryption-Key set to the encryption key value. The copy operation will fail if the specified key does not match the key used to SSE-C encrypt the object.

  • X-Amz-Copy-Source-Server-Side-Encryption-Key-MD5 set to the 128-bit MD5 digest of the encryption key.

The MinIO mc commandline tool S3-compatible SDKs include specific syntax for setting headers. Certain mc commands like mc cp include specific arguments for enabling SSE-S3 encryption:

mc cp SOURCE/BUCKET/mydata.json TARGET/BUCKET/mydata.json  \
   --encrypt-key "SOURCE/BUCKET/=c2VjcmV0ZW5jcnlwdGlvbmtleWNoYW5nZW1lMTIzNAo=" \
   --encrypt-key "TARGET/BUCKET/=c2VjcmV0ZW5jcnlwdGlvbmtleWNoYW5nZW1lMTIzNAo="
  • Replace SOURCE/BUCKET with the alias of the MinIO deployment from which you are reading the encrypted object and the full path to the bucket or bucket prefix from which you want to read the SSE-C encrypted object.

  • Replace TARGET/BUCKET with the alias of the MinIO deployment from which you are writing the encrypted object and the full path to the bucket or bucket prefix to which you want to write the SSE-C encrypted object.