## Acronyms

- **AEAD**: Authenticated Encryption with Associated Data
- **CSPRNG**: Cryptographically Secure Pseudo Random Number Generator
- **EK**: External Key
- **IV**: Initialization Vector
- **KEK**: Key Encryption Key
- **OEK**: Object Encryption Key
- **PRF**: Pseudo Random Function
- **SSE**: Server-Side Encryption
- **SSE-C**: Server-Side Encryption with client-provided Keys

```
export MINIO_KMS_AUTO_ENCRYPTION=on
```

### Verify auto-encryption

> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends
> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to
> the configured KMS.

To verify auto-encryption, use the following `mc` command:

```

your setup can use this feature combination safely.

To enable compression+encryption use:

```bash
~ mc admin config set myminio compression allow_encryption=on
```

Or alternatively through the environment variable `MINIO_COMPRESSION_ALLOW_ENCRYPTION=on`.

### 4. Excluded Types

- Already compressed objects are not fit for compression since they do not have compressible patterns.

import okhttp3.tls.internal.der.ObjectIdentifiers.COMMON_NAME
import okhttp3.tls.internal.der.ObjectIdentifiers.ORGANIZATIONAL_UNIT_NAME
import okhttp3.tls.internal.der.ObjectIdentifiers.RSA_ENCRYPTION
import okhttp3.tls.internal.der.ObjectIdentifiers.SHA256_WITH_RSA_ENCRYPTION
import okhttp3.tls.internal.der.ObjectIdentifiers.SUBJECT_ALTERNATIVE_NAME
import okio.Buffer
import okio.ByteString
import okio.ByteString.Companion.decodeBase64

          "X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm": "REFSRXYyLUhNQUMtU0hBMjU2",
          "X-Minio-Internal-Server-Side-Encryption-Iv": "bW5YRDhRUGczMVhkc2pJT1V1UVlnbWJBcndIQVhpTUN1dnVBS0QwNUVpaz0=",

The unified KMS-based approach has several advantages:

- Key management is now centralized. There is one way to change or rotate encryption keys.
   There used to be two different mechanisms - one for regular S3 objects and one for IAM data.
- Reduced server startup time. For IAM encryption with the root credentials, MinIO had
   to use a memory-hard function (Argon2) that (on purpose) consumes a lot of memory and CPU.

- **Removing a site** is not allowed from a set of replicated sites once configured.
- All sites must be using the **same** external IDP(s) if any.

* Certificates have a **lifetime**.
    * They **expire**.
    * And then they need to be **renewed**, **acquired again** from the third party.
* The encryption of the connection happens at the **TCP level**.
    * That's one layer **below HTTP**.
    * So, the **certificate and encryption** handling is done **before HTTP**.
* **TCP doesn't know about "domains"**. Only about IP addresses.

Copy the existing private key and public certificate to the `certs` directory. The default certs directory is:

* **Linux:** `${HOME}/.minio/certs`

internal object ObjectIdentifiers {
  const val EC_PUBLIC_KEY = "1.2.840.10045.2.1"
  const val SHA256_WITH_ECDSA = "1.2.840.10045.4.3.2"
  const val RSA_ENCRYPTION = "1.2.840.113549.1.1.1"
  const val SHA256_WITH_RSA_ENCRYPTION = "1.2.840.113549.1.1.11"
  const val SUBJECT_ALTERNATIVE_NAME = "2.5.29.17"
  const val BASIC_CONSTRAINTS = "2.5.29.19"
  const val COMMON_NAME = "2.5.4.3"