Keep an up-to-date copy of the KMS master key (#19492)

2026-02-04 18:00:15 -05:00 · 2024-04-15 00:42:50 -07:00
parent e7baf78ee8
commit b8f05b1471
4 changed files with 99 additions and 18 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -958,16 +958,19 @@ func handleKMSConfig() {
 			}
 		}

-		KMS, err := kms.NewWithConfig(kmsConf)
+		kmsLogger := Logger{}
+		KMS, err := kms.NewWithConfig(kmsConf, kmsLogger)
 		if err != nil {
 			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
 		}
-		// We check that the default key ID exists or try to create it otherwise.
-		// This implicitly checks that we can communicate to KES. We don't treat
-		// a policy error as failure condition since MinIO may not have the permission
+		// Try to generate a data encryption key. Only try to create key if this fails.
+		// This implicitly checks that we can communicate to KES.
+		// We don't treat a policy error as failure condition since MinIO may not have the permission
 		// to create keys - just to generate/decrypt data encryption keys.
-		if err = KMS.CreateKey(context.Background(), env.Get(kms.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
-			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
+		if _, err = KMS.GenerateKey(GlobalContext, env.Get(kms.EnvKESKeyName, ""), kms.Context{}); err != nil && errors.Is(err, kes.ErrKeyNotFound) {
+			if err = KMS.CreateKey(context.Background(), env.Get(kms.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
+				logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
+			}
 		}
 		GlobalKMS = KMS
 	}