diff --git a/content/_includes/params/enclave.md b/content/_includes/params/enclave.md deleted file mode 100644 index df403f0..0000000 --- a/content/_includes/params/enclave.md +++ /dev/null @@ -1,3 +0,0 @@ -_Optional_ - -The short name of the KES enclave to output information about. \ No newline at end of file diff --git a/content/_includes/server-config.md b/content/_includes/server-config.md index 6aa8318..8e46024 100644 --- a/content/_includes/server-config.md +++ b/content/_includes/server-config.md @@ -204,7 +204,6 @@ log: # "time": "2006-01-02T15:04:05Z07:00", # "request": { # "ip": "87.149.99.199", - # "enclave": "default", # "path": "/v1/key/create/my-app-key", # "identity": "4067503933d4a78358f908a2df7ec14e554c612acf8a9d1aa29b7da4aa018ec9", # }, diff --git a/content/cli/_index.md b/content/cli/_index.md index 8de340e..6f17c96 100644 --- a/content/cli/_index.md +++ b/content/cli/_index.md @@ -56,7 +56,7 @@ docker pull minio/kes {{< /tab >}} {{< tab "Homebrew" >}} -MacOS users can use [Homebrew](https://brew.sh/) to install KES: +macOS users can use [Homebrew](https://brew.sh/) to install KES: ```sh {.copy} brew install minio/stable/kes diff --git a/content/cli/kes-enclave/_index.md b/content/cli/kes-enclave/_index.md deleted file mode 100644 index 5410eee..0000000 --- a/content/cli/kes-enclave/_index.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: kes enclave -date: 2023-03-03 -lastmod: :git -draft: false -tableOfContents: true ---- - -## Overview - -Use `kes enclave` and its subcommands to create, list, or remove KES enclave. -Enclaves provide secure zones for performing actions with the KES server. - -## Subcommands - -|Subcommands |Description | -|:----------------------------------------------------|:----------------------------------| -|[`create`]({{< relref "/cli/kes-enclave/create" >}}) |Create a new enclave | -|[`info`]({{< relref "/cli/kes-enclave/info" >}}) |Show information about an enclave | -|[`rm`]({{< relref "/cli/kes-enclave/rm" >}}) |Delete an enclave | diff --git a/content/cli/kes-enclave/create.md b/content/cli/kes-enclave/create.md deleted file mode 100644 index e05f47a..0000000 --- a/content/cli/kes-enclave/create.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: kes enclave create -date: 2023-03-03 -lastmod: :git -draft: false -tableOfContents: true ---- - -## Overview - -Creates a new KES enclave. - -## Syntax - -```sh -kes enclave create \ - \ - \ - [--insecure, -k] -``` - -## Parameters - -### `` - -_Required_ - -A short, human-readable name to use to interact with the enclave with the KES commands. - -### `` - -_Required_ - -The [`subject`]({{< relref "cli/kes-identity/new.md#subject" >}}) of the identity to use to create the enclave. - -### `--insecure, -k` - -{{< include "_includes/params/insecure.md" >}} - -## Examples - -The following command creates a new enclave called `tenant-1` with the provided identifier. - -```sh {.copy} -kes enclave create tenant-1 5f2f4ef3e0e340a07fc330f58ef0a1c4d661e564ab10795f9231f75fcfe572f1 -``` \ No newline at end of file diff --git a/content/cli/kes-enclave/info.md b/content/cli/kes-enclave/info.md deleted file mode 100644 index dc9effb..0000000 --- a/content/cli/kes-enclave/info.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: kes enclave info -date: 2023-03-03 -lastmod: :git -draft: false -tableOfContents: true ---- - -## Overview - -Prints the identity information for a KES enclave. - -## Syntax - -```sh -kes enclave info \ - \ - [--color ] \ - [--insecure, -k] \ - [--json] -``` - -## Parameters - -### `name` - -_Required_ - -The short name of the KES enclave to output information about. - -### `--color` - -{{< include "_includes/params/color.md" >}} - -### `--insecure, -k` - -{{< include "_includes/params/insecure.md" >}} - -### `--json` - -{{< include "_includes/params/json.md" >}} - - -## Examples - -The following command displays the identity information for the enclave named `tenant-1`. - -```sh {.copy} -kes enclave info tenant-1 -``` diff --git a/content/cli/kes-enclave/rm.md b/content/cli/kes-enclave/rm.md deleted file mode 100644 index 86c76b0..0000000 --- a/content/cli/kes-enclave/rm.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: kes enclave rm -date: 2023-03-03 -lastmod: :git -draft: false -tableOfContents: true ---- - -## Overview - -Deletes an enclave from KES. - -## Syntax - -```sh -kes enclave rm \ - \ - [--insecure, -k] -``` - -## Parameters - -### `name` - -_Required_ - -The short name of the KES enclave to output information about. - -### `--insecure, -k` - -{{< include "_includes/params/insecure.md" >}} - -## Examples - -The following command deletes the KES enclave named `tenant-1`. - -```sh {.copy} -kes enclave rm tenant-1 -``` \ No newline at end of file diff --git a/content/cli/kes-identity/_index.md b/content/cli/kes-identity/_index.md index 4f26dc8..59aaa3a 100644 --- a/content/cli/kes-identity/_index.md +++ b/content/cli/kes-identity/_index.md @@ -25,7 +25,6 @@ This page provides reference information for the `kes identity` commands. |[`ls`]({{< relref "/cli/kes-identity/ls" >}}) |List KES identities | |[`new`]({{< relref "/cli/kes-identity/new" >}}) |Create a KES identity | |[`of`]({{< relref "/cli/kes-identity/of" >}}) |Compute a KES identity from a certificate | -|[`rm`]({{< relref "/cli/kes-identity/rm" >}}) |Delete a KES identity | ## Related Content diff --git a/content/cli/kes-identity/info.md b/content/cli/kes-identity/info.md index 22f3e19..5b4866b 100644 --- a/content/cli/kes-identity/info.md +++ b/content/cli/kes-identity/info.md @@ -23,7 +23,6 @@ Role Admin ```sh kes identity info \ [--color ] \ - [--enclave, -e ] \ [] \ [--insecure, -k] \ [--json] @@ -35,10 +34,6 @@ kes identity info \ {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `identity` _Optional_ @@ -55,12 +50,14 @@ The UUID of a specific identity to retrieve information about. ## Examples -The following command displays the identity information for the enclave named `tenant-1`. +The following command displays the identity information for the kes server. ```sh {.copy} kes identity info` ``` +The following command displays the identity of the provided key. + ```sh {.copy} kes identity info 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22 ``` diff --git a/content/cli/kes-identity/ls.md b/content/cli/kes-identity/ls.md index 8cf9635..558fcea 100644 --- a/content/cli/kes-identity/ls.md +++ b/content/cli/kes-identity/ls.md @@ -20,7 +20,6 @@ The `kes identity ls` command does not return admin identities. ```sh kes identity ls \ [--color ] \ - [--enclave, -e ] \ [--insecure, -k] \ [--json] \ [pattern] @@ -32,10 +31,6 @@ kes identity ls \ {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-identity/rm.md b/content/cli/kes-identity/rm.md deleted file mode 100644 index 58f7759..0000000 --- a/content/cli/kes-identity/rm.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: kes identity rm -date: 2023-03-03 -lastmod: :git -draft: false -tableOfContents: true ---- - -## Overview - -Removes the identity of either an api key or a certificate. - -## Syntax - -kes identity rm \ - [--enclave, -e ] \ - [--insecure, -k] - -## Parameters - -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - -### `--insecure, -k` - -{{< include "_includes/params/insecure.md" >}} - -## Examples - -```sh {.copy} -kes identity rm 736bf58626441e3e134a2daf2e6a8441b40e1abc0eac510878168c8aac9f2b0b -``` diff --git a/content/cli/kes-key/create.md b/content/cli/kes-key/create.md index a33268b..b7ca127 100644 --- a/content/cli/kes-key/create.md +++ b/content/cli/kes-key/create.md @@ -16,7 +16,6 @@ KES *never* returns the generated secret to clients. ```sh kes key create \ \ - [--enclave, -e ] \ [--insecure, -k] ``` @@ -28,10 +27,6 @@ kes key create \ You may add multiple names to a single command to generate multiple keys. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/decrypt.md b/content/cli/kes-key/decrypt.md index 516b9e4..11c42ca 100644 --- a/content/cli/kes-key/decrypt.md +++ b/content/cli/kes-key/decrypt.md @@ -23,7 +23,6 @@ kes key decrypt \ \ \ [] \ - [--enclave, -e ] \ [--insecure,-k] ``` @@ -47,10 +46,6 @@ The context value to scope the request for a data encryption key. You create contexts in the `kubeconfig` file of a Kubernetes deployment to define a set of cluster, namespace, and user configuration to use. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/dek.md b/content/cli/kes-key/dek.md index afe721f..8a3e6eb 100644 --- a/content/cli/kes-key/dek.md +++ b/content/cli/kes-key/dek.md @@ -30,7 +30,6 @@ Avoid storing the plaintext value of a DEK on disk, as it allows decryption of d key key dek \ [] \ - [--enclave, -e ] \ [--insecure, -k] ``` @@ -48,10 +47,6 @@ The context value to scope the request for a data encryption key. You create contexts in the `kubeconfig` file of a Kubernetes deployment to define a set of cluster, namespace, and user configuration to use. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/encrypt.md b/content/cli/kes-key/encrypt.md index dc6a742..09a58f5 100644 --- a/content/cli/kes-key/encrypt.md +++ b/content/cli/kes-key/encrypt.md @@ -22,7 +22,6 @@ Avoid storing the plaintext on disk, as it allows decryption of data without req kes key encrypt \ \ \ - [--enclave, e ] \ [--insecure,-k] ``` @@ -38,10 +37,6 @@ _Required_ The string to encrypt. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/import.md b/content/cli/kes-key/import.md index 5329d84..a00cf6a 100644 --- a/content/cli/kes-key/import.md +++ b/content/cli/kes-key/import.md @@ -16,7 +16,6 @@ Import a cryptographic key. kes key import \ \ \ - [--enclave, -e ] \ [--insecure, -k] ``` @@ -32,10 +31,6 @@ _Required_ Key to use to decrypt the import file. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/info.md b/content/cli/kes-key/info.md index 62ce6be..d19a6f6 100644 --- a/content/cli/kes-key/info.md +++ b/content/cli/kes-key/info.md @@ -25,7 +25,6 @@ Created By 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22 kes key info \ \ [--color ] \ - [--enclave, -e] \ [--insecure, -k] \ [--json] ``` @@ -40,10 +39,6 @@ kes key info \ {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/ls.md b/content/cli/kes-key/ls.md index 073e233..cd1459a 100644 --- a/content/cli/kes-key/ls.md +++ b/content/cli/kes-key/ls.md @@ -27,7 +27,6 @@ Date Created Key ```sh kes key ls \ [--color ] \ - [--enclave, -e] \ [--insecure, -k] \ [--json] \ [] @@ -39,10 +38,6 @@ kes key ls \ {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-key/rm.md b/content/cli/kes-key/rm.md index 2917dd8..74f6928 100644 --- a/content/cli/kes-key/rm.md +++ b/content/cli/kes-key/rm.md @@ -21,7 +21,6 @@ Removing a Secret Key renders all data encrypted using that key permanently unre ```sh kes key rm \ \ - [--enclave, -e] \ [--insecure, -k] ``` @@ -34,10 +33,6 @@ _Required_ The name of the existing key to remove. To remove more than one key, separate each key with a space. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-policy/_index.md b/content/cli/kes-policy/_index.md index 033afe6..84ab106 100644 --- a/content/cli/kes-policy/_index.md +++ b/content/cli/kes-policy/_index.md @@ -23,5 +23,4 @@ To make persistent changes to KES policies, modify the `policy` section of the K |[`create`]({{< relref "/cli/kes-policy/create" >}}) |Create a new policy | |[`info`]({{< relref "/cli/kes-policy/info" >}}) |Get information about a policy | |[`ls`]({{< relref "/cli/kes-policy/ls" >}}) |List policies | -|[`rm`]({{< relref "/cli/kes-policy/rm" >}}) |Remove a policy | |[`show`]({{< relref "/cli/kes-policy/show" >}}) |Display a policy | diff --git a/content/cli/kes-policy/assign.md b/content/cli/kes-policy/assign.md index 6260f63..0500212 100644 --- a/content/cli/kes-policy/assign.md +++ b/content/cli/kes-policy/assign.md @@ -16,7 +16,6 @@ Assign a KES policy to identities. kes policy assign \ \ \ - [--enclave, -e ] \ [--insecure, -k] ``` @@ -32,10 +31,6 @@ Use `kes policy ls` to find the name. The name of the identity to which to assign the policy. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-policy/create.md b/content/cli/kes-policy/create.md index e7b8f61..cbc7556 100644 --- a/content/cli/kes-policy/create.md +++ b/content/cli/kes-policy/create.md @@ -25,7 +25,6 @@ To create permanent policies, modify the `policy` section of the KES [configurat kes policy create \ \ \ - [--enclave, -e ] \ [--insecure, -k] ``` @@ -43,10 +42,6 @@ _Required_ The path to the file containing the policy to use with this name. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-policy/info.md b/content/cli/kes-policy/info.md index 897a37e..8de040f 100644 --- a/content/cli/kes-policy/info.md +++ b/content/cli/kes-policy/info.md @@ -24,7 +24,6 @@ Created by 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22 kes policy info \ \ [--color ] \ - [--enclave, -e ] \ [--insecure, -k] \ [--json] ``` @@ -41,10 +40,6 @@ The short name of the policy about which to output information. {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-policy/ls.md b/content/cli/kes-policy/ls.md index a11d01c..775a08b 100644 --- a/content/cli/kes-policy/ls.md +++ b/content/cli/kes-policy/ls.md @@ -22,7 +22,6 @@ Date Created Policy ```sh kes policy ls \ [--color ] \ - [--enclave, -e ] \ [--insecure, -k] \ [--json] \ [<'pattern'>] @@ -34,10 +33,6 @@ kes policy ls \ {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-policy/rm.md b/content/cli/kes-policy/rm.md deleted file mode 100644 index 78523cd..0000000 --- a/content/cli/kes-policy/rm.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: kes policy rm -date: 2023-03-03 -lastmod: :git -draft: false -tableOfContents: true ---- - -## Overview - -Remove a policy name from the KES server. -Removing a policy prevents clients authenticating with an identity associated to that policy from performing any operations on the KES server. - -## Syntax - -```sh -kes policy rm \ - \ - [--enclave, -e ] \ - [--insecure, -k] -``` - -## Parameters - -### `name` - -_Required_ - -The short name of the policy to remove. -To remove more than one policy name, separate multiple policy names with commas. - -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - -### `--insecure, -k` - -{{< include "_includes/params/insecure.md" >}} - -## Examples - -Remove a policy: - -```sh {.copy} -kes policy rm my-policy -``` - -Remove two policies: - -```sh {.copy} -kes policy rm my-policy1, my-policy2 -``` \ No newline at end of file diff --git a/content/cli/kes-policy/show.md b/content/cli/kes-policy/show.md index ddedfcd..2492547 100644 --- a/content/cli/kes-policy/show.md +++ b/content/cli/kes-policy/show.md @@ -37,7 +37,6 @@ Created by: 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22 ```sh kes policy show \ \ - [--enclave, -e ] \ [--insecure, -k] \ [--json] ``` @@ -50,10 +49,6 @@ _Required_ The short name of the policy about which to output information. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-secret/create.md b/content/cli/kes-secret/create.md index 4b03797..53649aa 100644 --- a/content/cli/kes-secret/create.md +++ b/content/cli/kes-secret/create.md @@ -16,7 +16,6 @@ Add a new secret to use on the KES server. kes secrete create \ \ \ - [--enclave, -e ] \ [--file ] \ [--insecure, -e] ``` @@ -29,10 +28,6 @@ _Required_ A short name to use to refer to the secret. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--file` Use the contents of a file as the secret. diff --git a/content/cli/kes-secret/info.md b/content/cli/kes-secret/info.md index f1bf33b..f48e081 100644 --- a/content/cli/kes-secret/info.md +++ b/content/cli/kes-secret/info.md @@ -23,7 +23,6 @@ Created by 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22 kes secret info \ \ [--color ] \ - [--enclave, -e ] \ [--insecure, -e] \ [--json] ``` @@ -40,10 +39,6 @@ The short name of the secret about which to output information. {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-secret/ls.md b/content/cli/kes-secret/ls.md index 94e1753..55d6243 100644 --- a/content/cli/kes-secret/ls.md +++ b/content/cli/kes-secret/ls.md @@ -17,7 +17,6 @@ You can display a list of all secrets or a list that match a specific pattern. ```sh kes secret ls \ [--color ] \ - [--enclave, -e ] \ [--insecure, -k] \ [--json] \ [<'pattern'>] @@ -31,10 +30,6 @@ kes secret ls \ {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-secret/rm.md b/content/cli/kes-secret/rm.md index 6022158..3a2f057 100644 --- a/content/cli/kes-secret/rm.md +++ b/content/cli/kes-secret/rm.md @@ -16,7 +16,6 @@ Once removed, the secret is no longer valid for the KES server. ```sh kes secret rm \ \ - [--enclave, -e ] \ [--insecure, -k] ``` @@ -28,10 +27,6 @@ _Required_ The short name of the secret to remove. -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-secret/show.md b/content/cli/kes-secret/show.md index ebbe168..4089af7 100644 --- a/content/cli/kes-secret/show.md +++ b/content/cli/kes-secret/show.md @@ -16,7 +16,6 @@ Output the contents of a secret. kes secret show \ \ [--color ] \ - [--enclave, -e ] \ [--insecure, -k] \ [--json] \ [--plain, -p] @@ -34,10 +33,6 @@ The short name of the secret to remove. {{< include "_includes/params/color.md" >}} -### `--enclave, -e` - -{{< include "_includes/params/enclave.md" >}} - ### `--insecure, -k` {{< include "_includes/params/insecure.md" >}} diff --git a/content/cli/kes-update/_index.md b/content/cli/kes-update/_index.md index e66d995..4d4409e 100644 --- a/content/cli/kes-update/_index.md +++ b/content/cli/kes-update/_index.md @@ -60,7 +60,7 @@ Valid operating systems: - `darwin` - Use for MacOS. + Use for macOS. - `linux` - `windows` @@ -88,7 +88,7 @@ Download an older binary version and replace the current one: kes update --downgrade v.0.19.0 ``` -Download the latest binary for MacOS on an `arm64` chip like the M2 and save it to a file, keeping the current binary in place: +Download the latest binary for macOS on an `arm64` chip like the M2 and save it to a file, keeping the current binary in place: ```sh {.copy} kes update -o ./kes-darwin-arm64 --os darwin --arch arm64 diff --git a/content/concepts/environment-variables.md b/content/concepts/environment-variables.md index 92feb46..4aaac6a 100644 --- a/content/concepts/environment-variables.md +++ b/content/concepts/environment-variables.md @@ -34,11 +34,3 @@ MinIO uses this key for the following: - Encrypting backend data ( [IAM](https://min.io/docs/minio/linux/administration/identity-access-management.html#minio-authentication-and-identity-management), server configuration). - The default encryption key for Server-Side Encryption with [SSE-KMS](https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-kms.html#minio-encryption-sse-kms). - The encryption key for Server-Side Encryption with [SSE-S3](https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-s3.html#minio-encryption-sse-s3). - -## `MINIO_KMS_KES_ENCLAVE` - -Use this optional environment variable to define the name of a KES enclave. -A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server. - -If not set, MinIO does not send enclave information. -For a stateful KES server, this results in using the default enclave. \ No newline at end of file diff --git a/content/concepts/grafana-dashboard.png b/content/concepts/grafana-dashboard.png new file mode 100644 index 0000000..b6dc91e Binary files /dev/null and b/content/concepts/grafana-dashboard.png differ diff --git a/content/concepts/monitoring.md b/content/concepts/monitoring.md index fff4477..07c5870 100644 --- a/content/concepts/monitoring.md +++ b/content/concepts/monitoring.md @@ -63,6 +63,15 @@ Use the following steps to get started monitoring KES with Prometheus. After the KES and Prometheus servers start, Prometheus should detect and display a new KES target. +## Grafana + +For a graphical dashboard, you can connect KES metrics scraped by Prometheus to Grafana. + +![An example Grafana dashboard in dark mode showing KES metrics](grafana-dashboard.png) + +MinIO provides an example Grafana dashboard configuration for KES. +See the JSON file on [Github](https://github.com/minio/kes/blob/master/examples/grafana/dashboard.json). + ## References - [Server API Doc]({{< relref "server-api.md" >}}) diff --git a/content/concepts/server-api.md b/content/concepts/server-api.md index 45d6fb3..45e8890 100644 --- a/content/concepts/server-api.md +++ b/content/concepts/server-api.md @@ -30,7 +30,8 @@ If any endpoint does not require a certificate, failed calls result in an HTTP e | [`/v1/key/list`](#list-keys) | List cryptographic keys. | | [`/v1/key/generate`](#generate-key) | Generate a new plain/encrypted data encryption key pair. | | [`/v1/key/encrypt`](#encrypt-key) | Encrypt a (small) plaintext with a key. | -| [`/v1/key/decrypt`](#decrypt-ley) | Decrypt a (small) ciphertext with a key. | +| [`/v1/key/decrypt`](#decrypt-key) | Decrypt a (small) ciphertext with a key. | +| [`/v1/key/hmac`](#hmac) | | [**Policy API**](#Policy-API) | | | [`/v1/policy/describe`](#describe-policy) | Fetch information about a policy. | | [`/v1/policy/read`](#read-policy) | Fetch a policy. | @@ -550,6 +551,32 @@ $ curl \ } ``` +### HMAC + + +| Method | Path | Content-Type | +|:--------:|:---------------------:|:------------------:| +| `PUT` | `/v1/key/hmac/` | `application/json` | + +Compute a message authentication code (MAC) for the data passed in the request. +Use this to verify that messages are authentic or to generate the same pseudo-random secret on startup. + +#### Sample Request +```bash {.copy} +$ curl \ + --key root.key \ + --cert root.cert \ + --request PUT \ + --data '{"message":"Data to use to generate the HMAC secret"}' +``` + +#### Sample Response +```json +{ + "hmac": "5ded46b0e5450b0790637d71e453bce1fdae61f25a34c211216906a99791c6a5" +} +``` + ## Policy API ### Describe Policy diff --git a/content/tutorials/_index.md b/content/tutorials/_index.md new file mode 100644 index 0000000..56b4355 --- /dev/null +++ b/content/tutorials/_index.md @@ -0,0 +1,19 @@ +--- +title: Tutorials +date: 2023-02-08 +lastmod: :git +draft: false +tableOfContents: true +heading: true +weight: -1 +--- + +This section provides tutorials for common tasks related to installing and using KES. + +| Tutorial | Description | +|----------------------------------------------------------------|------------------------------------------------------------------------------| +| [Configuration]({{< relref "configuration.md" >}}) | Details for creating the configuration file for a KES Client and KES Server. | +| [Filesystem Keystore]({{< relref "filesystem-keystore.md" >}}) | Setup KES for testing using the local filesystem for persistent key storage. | +| [Getting Started]({{< relref "getting-started.md" >}}) | Setup KES for testing using system memory for ephemeral key storage. | +| [KES for MinIO]({{< relref "kes-for-minio.md" >}}) | Setup KES to work as the key encryption service for a MinIO deployment. | +| [systemd]({{< relref "systemd.md" >}}) | Configure a KES service on a Linux system using systemd service manager. | \ No newline at end of file diff --git a/content/tutorials/configuration.md b/content/tutorials/configuration.md index e372ff2..68b1477 100644 --- a/content/tutorials/configuration.md +++ b/content/tutorials/configuration.md @@ -4,6 +4,7 @@ date: 2023-02-08 lastmod: :git draft: false tableOfContents: true +weight: 40 --- This page provides information about KES configuration options for a KES Client and a KES Server. diff --git a/content/tutorials/filesystem-keystore.md b/content/tutorials/filesystem-keystore.md index 3d39bb4..eef41d5 100644 --- a/content/tutorials/filesystem-keystore.md +++ b/content/tutorials/filesystem-keystore.md @@ -4,6 +4,7 @@ date: 2023-02-08 lastmod: :git draft: false tableOfContents: true +weight: 50 --- Use this page to setup a KES server that uses the filesystem as persistent key store. diff --git a/content/tutorials/getting-started.md b/content/tutorials/getting-started.md index 7edb6dd..391073d 100644 --- a/content/tutorials/getting-started.md +++ b/content/tutorials/getting-started.md @@ -4,6 +4,7 @@ date: 2023-02-08 lastmod: :git draft: false tableOfContents: true +weight: 1 --- This Quickstart shows you how to setup a local KES server that stores keys in-memory. @@ -78,8 +79,19 @@ This starts a KES server on `127.0.0.1:7373` and stores keys in memory. export PATH=$PATH:@HOME/minio-binaries/ ``` - **Important:** Invoke the Windows executable file from the terminal, PowerShell, or Command Prompt. - You cannot double click the file from the Windows graphical user interface. + **Important:** + + - For Windows: Invoke the Windows executable file from the terminal, PowerShell, or Command Prompt. + You cannot double click the file from the Windows graphical user interface. + + - For macOS: Create an exception to allow macOS to open the executable downloaded from the Internet. + + 1. Locate the binary in Finder. + 2. `CTRL + Click` the file, then select `Open`. + 3. Follow the prompts to open the app and create a security exception. + 4. Close the window that opens showing the KES help page. + 5. Return to the Terminal and verify you can access KES with `./kes -h`. + {{< /tab >}} @@ -235,7 +247,8 @@ This starts a KES server on `127.0.0.1:7373` and stores keys in memory. To upgrade KES, follow the getting started steps and replace the KES binary with the newer version on each KES server node. {{< admonition type="important" >}} -You cannot revert to a previous version of KES after upgrading. +Due to changes in how KES processes ciphertext, it is not possible to revert to an earlier version after upgrading to release `2024-02-29T08-12-28Z` or later. +MinIO recommends always testing in a lower environment such as staging or development prior to upgrading production. {{< /admonition >}} ## References diff --git a/content/tutorials/kes-for-minio.md b/content/tutorials/kes-for-minio.md index 17c85a8..058e041 100644 --- a/content/tutorials/kes-for-minio.md +++ b/content/tutorials/kes-for-minio.md @@ -4,6 +4,7 @@ date: 2023-02-08 lastmod: :git draft: false tableOfContents: true +weight: 20 --- This tutorial shows how to setup a KES server and then configure a [MinIO deployment](https://min.io/docs/minio/linux/index.html) as a KES client for object encryption. diff --git a/content/tutorials/systemd.md b/content/tutorials/systemd.md index b8123c4..fd9bb32 100644 --- a/content/tutorials/systemd.md +++ b/content/tutorials/systemd.md @@ -4,6 +4,7 @@ date: 2023-02-08 lastmod: :git draft: false tableOfContents: true +weight: 30 --- This tutorial explains how to create a `systemd` service for KES on Linux systems.