Backup encryption in MinIO (SSE-KMS)

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

To mitigate the risk of exposing unencrypted backup data in case of unauthorized access, the Platform implements server-side encryption (SSE-KMS). This mechanism ensures that all stored objects are encrypted at rest, without requiring any changes in how users or services interact with MinIO.

This document outlines how SSE-KMS encryption works in the Platform’s MinIO environment, which relies on integration with KES Server and Platform Vault.

1. What is SSE-KMS and how does it work?

Server-Side Encryption with KMS (SSE-KMS) enables automatic encryption of files on the server side before they are written to disk. Encryption happens in flight—as each object is uploaded to MinIO. When the object is retrieved, it is automatically decrypted. From the user’s perspective, everything works the same way as before.

  • All data is stored in encrypted form on disk.

  • Encryption keys are securely stored in Vault.

SSE-KMS does not replace full disk encryption (FS-level encryption); it complements it by encrypting objects at the application layer within MinIO. For optimal protection, both layers should be used together.

2. Backup encryption diagram

The diagram below shows a high-level view of how the components interact to encrypt backup data.

backup encryption
Figure 1. Component integration: MinIO, KES Server, and Vault

  • MinIO — Object storage that holds backup data.

  • KES Server — A service or agent that acts as a KMS proxy for MinIO and a client to Vault.

  • Vault — A secret management system that stores encryption keys.

How the components interact

  1. KES Server authenticates to Vault using the AppRole method with a role_id and secret_id.

  2. Vault returns a temporary token (Vault Token).

  3. Using this token, KES Server either retrieves or creates the encryption key (if not already present).

  4. MinIO sends encryption/decryption requests to KES Server, which acts as a proxy to Vault-stored keys.

KES Server is not a backend system in itself. It runs as a local service alongside MinIO. It receives encryption-related requests from MinIO and independently communicates with Vault to fulfill them.

3. Useful links