# KMS IAM/Config Encryption

MinIO supports encrypting config, IAM assets with KMS provided keys. If the KMS is not enabled, MinIO will store the config, IAM data as plain text erasure coded in its backend.

## MinIO KMS Quick Start

MinIO supports two ways of encrypting IAM and configuration data.
You can either use KES - together with an external KMS - or, much simpler,

			encMetadata[k] = v
		}
	}

	if (sseKMS || sseS3) && r.Encryption.Type == ssekms {
		if err = r.Encryption.Validate(); err != nil {
			return err
		}
		newKeyID = strings.TrimPrefix(r.Encryption.Key, crypto.ARNPrefix)
		newKeyContext = r.Encryption.kmsContext
	}
	if err = rotateKey(ctx, []byte{}, newKeyID, []byte{}, r.Bucket, oi.Name, encMetadata, newKeyContext); err != nil {

ret=$?
if [ $ret -ne 0 ]; then
	echo "expected versioning enabled after expansion"
	exit 1
fi

./mc encrypt info myminio/versioned | grep -q "Auto encryption 'sse-s3' is enabled"
ret=$?
if [ $ret -ne 0 ]; then
	echo "expected encryption enabled after expansion"
	exit 1
fi

./mc mirror cmd myminio/versioned/ --quiet >/dev/null

./mc ls -r myminio/versioned/ >expanded_ns.txt

ret=$?
if [ $ret -ne 0 ]; then
	echo "expected versioning enabled after expansion"
	exit 1
fi

./mc encrypt info myminio/versioned | grep -q "Auto encryption 'sse-s3' is enabled"
ret=$?
if [ $ret -ne 0 ]; then
	echo "expected encryption enabled after expansion"
	exit 1
fi

./mc version info myminio/versioned-1 | grep -q "versioning is enabled"
ret=$?
if [ $ret -ne 0 ]; then

    /**
     * Kerberos encryption type for ARCFOUR-HMAC (RC4-HMAC).
     */
    public static final int ETYPE_ARCFOUR_HMAC = 23;
    /**
     * Kerberos encryption type for AES-128 CTS mode with HMAC-SHA1-96.
     */
    public static final int ETYPE_AES128_CTS_HMAC_SHA1_96 = 17;
    /**
     * Kerberos encryption type for AES-256 CTS mode with HMAC-SHA1-96.
     */

    }

    /**
     * Test that encryption is properly configured
     */
    @Test
    public void testEncryptionConfiguration() throws CIFSException {
        BaseConfiguration config = new BaseConfiguration(true);

        // Verify encryption configuration is available (default is false for compatibility)
        // But can be enabled when needed

```
export MINIO_KMS_AUTO_ENCRYPTION=on
```

### Verify auto-encryption

> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends
> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to
> the configured KMS.

To verify auto-encryption, use the following `mc` command:

```
mc cp test.file myminio/bucket/

    @CsvSource({ "true, true, SMB311, 2", // DFS + Encryption
            "false, true, SMB311, 1", // Encryption only
            "true, false, SMB311, 1", // DFS only
            "false, false, SMB311, 0", // Neither
            "true, true, SMB210, 1", // DFS only (no encryption for SMB2)
            "false, true, SMB210, 0" // Neither (no encryption for SMB2)
    })

import javax.security.auth.Destroyable;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Secure credential storage with encryption at rest.
 *
 * Provides secure storage of passwords and other sensitive credentials
 * using AES-GCM encryption with PBKDF2 key derivation.
 *
 * Features:
 * - Encrypts credentials at rest using AES-256-GCM
 * - Uses PBKDF2 for key derivation from master password

          "X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm": "REFSRXYyLUhNQUMtU0hBMjU2",
          "X-Minio-Internal-Server-Side-Encryption-Iv": "bW5YRDhRUGczMVhkc2pJT1V1UVlnbWJBcndIQVhpTUN1dnVBS0QwNUVpaz0=",