minio/ kes
About the developer
220 Stars 
36 Forks 
GNU Affero General Public License v3.0 
210 Commits 
1 Opened issues 
Description
KES is a simple, stateless and distributed key-management system
Services available
Contributors list
KES
KES is a stateless and distributed key-management system for high-performance applications. We built KES as the bridge between modern applications - running as containers on Kubernetes - and centralized KMS solutions. Therefore, KES has been designed to be simple, scalable and secure by default. It has just a few knobs to tweak instead of a complex configuration and does not require a deep understanding of secure key-management or cryptography.
Architecture
Install
Binary Releases
| OS | ARCH | Binary | |:--------:|:-------:|:--------------------------------------------------------------------------------------------:| | Linux | amd64 | linux-amd64 | | Linux | arm64 | linux-arm64 | | Linux | ppc64le | linux-ppc64le | | Linux | s390x | linux-s390x | | Apple M1 | arm64 | darwin-arm64 | | Apple | amd64 | darwin-amd64 | | Windows | amd64 | windows-amd64 |
You can also verify the binary with minisign by downloading the corresponding
.minisigsignature file. Then run:
minisign -Vm kes-- -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
Docker
Pull the latest release via:
docker pull minio/kes
Build from source
GO111MODULE=on go get github.com/minio/kes/cmd/kes
You will need a working Go environment. Therefore, please follow How to install Go. Minimum version required is go1.14
Getting Started
We run a public KES server instance at
https://play.min.io:7373for you to experiment with. Just follow the steps below to get a first impression of how easy it is to use KES as a client. All you need is
cURL.
If you instead want to run a KES server locally as your first steps then checkout our Getting Started Guide.
1. Fetch the root identity
As an initial step, you will need to download the "private" key and certificate to authenticate to the KES server as the root identity.
sh curl -sSL --tlsv1.2 \ -O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \ -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'
2. Create a new master key
Then, you can create a new master key named e.g.
my-key.
sh
curl -sSL --tlsv1.3 --http2 \
--key root.key \
--cert root.cert \
-X POST 'https://play.min.io:7373/v1/key/create/my-key'
Note that creating a new key will fail with
key does already existif it already exist.
3. Generate a new data encryption key (DEK)
Now, you can use that master key to derive a new data encryption key.
sh
curl -sSL --tlsv1.3 --http2 \
--key root.key \
--cert root.cert \
--data '{}' \
-X POST 'https://play.min.io:7373/v1/key/generate/my-key'
You will get a plaintext and a ciphertext data key. The ciphertext data
key is the encrypted version of the plaintext key. Your application would
use the plaintext key to e.g. encrypt some application data but only remember
the ciphertext key version.
4. Use the KES CLI client
For more sophisticated tasks, like managing policies or audit log tracing, you may want to use the KES CLI. Therefore, point your CLI to our KES instance:
sh export KES_SERVER=https://play.min.io:7373 export KES_CLIENT_KEY=root.key export KES_CLIENT_CERT=root.cert
Then run a KES CLI command. For example:
kes key list
If you want to learn more about KES checkout our documentation.
License
Use of
KESis governed by the AGPLv3 license that can be found in the LICENSE file.