{"id":13509570,"url":"https://github.com/minio/kes","last_synced_at":"2025-06-20T11:43:28.996Z","repository":{"id":37405572,"uuid":"226350394","full_name":"minio/kes","owner":"minio","description":"[Deprecated] Key Encryption Server","archived":false,"fork":false,"pushed_at":"2025-05-27T05:05:02.000Z","size":1845,"stargazers_count":491,"open_issues_count":22,"forks_count":101,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-05-27T06:21:50.662Z","etag":null,"topics":["cryptography","encryption","kms","modern","scale","secure-by-default","security"],"latest_commit_sha":null,"homepage":"https://min.io/docs/kes/concepts/","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/minio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":"audit.go","citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-12-06T14:48:00.000Z","updated_at":"2025-05-27T05:10:46.000Z","dependencies_parsed_at":"2023-07-15T08:13:59.627Z","dependency_job_id":"c97e14ef-49b2-4279-8053-d84b0ac4087a","html_url":"https://github.com/minio/kes","commit_stats":{"total_commits":452,"total_committers":24,"mean_commits":"18.833333333333332","dds":0.584070796460177,"last_synced_commit":"fe54489812091915144bed6c3a793312fce31e09"},"previous_names":["minio/keys"],"tags_count":86,"template":false,"template_full_name":null,"purl":"pkg:github/minio/kes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/minio%2Fkes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/minio%2Fkes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/minio%2Fkes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/minio%2Fkes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/minio","download_url":"https://codeload.github.com/minio/kes/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/minio%2Fkes/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260940306,"owners_count":23086294,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","encryption","kms","modern","scale","secure-by-default","security"],"created_at":"2024-08-01T02:01:09.757Z","updated_at":"2025-06-20T11:43:23.955Z","avatar_url":"https://github.com/minio.png","language":"Go","funding_links":[],"categories":["Go","security"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src='.github/logo.svg?sanitize=true' width='55%'\u003e\n\u003c/p\u003e\n\n***\n\n**KES is a cloud-native distributed key management and encryption server designed to secure modern applications at scale.**\n\n - [What is KES?](#what-is-kes)\n - [Installation](#install)\n - [Quick Start](#quick-start)\n - [Documentation](#docs)\n \n## What is KES?\n\nKES is a distributed key management server that scales horizontally. It can either be run as edge server close to the applications\nreducing latency to and load on a central key management system (KMS) or as central key management service. KES nodes are self-contained\nstateless instances that can be scaled up and down automatically.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src='.github/arch.png?sanitize=true' width='70%'\u003e\n\u003c/p\u003e\n\n## Install\n\nThe KES server and CLI is available as a single binary, container image or can be build from source.\n\n\u003cdetails open=\"true\"\u003e\u003csummary\u003e\u003cb\u003e\u003ca name=\"homebrew\"\u003eHomebrew\u003c/a\u003e\u003c/b\u003e\u003c/summary\u003e\n\n```sh\nbrew install minio/stable/kes\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ca name=\"docker\"\u003eDocker\u003c/a\u003e\u003c/b\u003e\u003c/summary\u003e\n\nPull the latest release via:\n```\ndocker pull minio/kes\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ca name=\"binary-releases\"\u003eBinary Releases\u003c/a\u003e\u003c/b\u003e\u003c/summary\u003e\n\n| OS      | ARCH    | Binary                                                                                       |\n|:-------:|:-------:|:--------------------------------------------------------------------------------------------:|\n| linux   | amd64   | [linux-amd64](https://github.com/minio/kes/releases/latest/download/kes-linux-amd64)         |\n| linux   | arm64   | [linux-arm64](https://github.com/minio/kes/releases/latest/download/kes-linux-arm64)         |\n| darwin  | arm64   | [darwin-arm64](https://github.com/minio/kes/releases/latest/download/kes-darwin-arm64)       |\n| windows | amd64   | [windows-amd64](https://github.com/minio/kes/releases/latest/download/kes-windows-amd64.exe) |\n\nDownload the binary via `curl` but replace `\u003cOS\u003e` and `\u003cARCH\u003e` with your operating system and CPU architecture.\n```\ncurl -sSL --tlsv1.2 'https://github.com/minio/kes/releases/latest/download/kes-\u003cOS\u003e-\u003cARCH\u003e' -o ./kes\n```\n```\nchmod +x ./kes\n```\n\nYou can also verify the binary with [minisign](https://jedisct1.github.io/minisign/) by downloading the corresponding [`.minisig`](https://github.com/minio/kes/releases/latest) signature file. \nRun:\n```\ncurl -sSL --tlsv1.2 'https://github.com/minio/kes/releases/latest/download/kes-\u003cOS\u003e-\u003cARCH\u003e.minisig' -o ./kes.minisig\n```\n```\nminisign -Vm ./kes -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav\n```\n\u003c/details\u003e   \n   \n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ca name=\"build-from-source\"\u003eBuild from source\u003c/a\u003e\u003c/b\u003e\u003c/summary\u003e\n\nDownload and install the binary via your Go toolchain:\n\n```sh\ngo install github.com/minio/kes/cmd/kes@latest\n```\n\n\u003c/details\u003e\n   \n## Quick Start\n   \nWe run a public KES instance at `https://play.min.io:7373` as playground.\nYou can interact with our play instance either via the KES CLI or cURL.\nAlternatively, you can get started by setting up your own KES server in\nless than five minutes.\n   \n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eFirst steps\u003c/b\u003e\u003c/summary\u003e\n\n#### 1. Configure CLI\nPoint the KES CLI to the KES server at `https://play.min.io:7373` and use the following API key:\n```sh\nexport KES_SERVER=https://play.min.io:7373\nexport KES_API_KEY=kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc\n```\n\n#### 3. Create a Key\nCreate a new root encryption key - e.g. `my-key`.\n```\nkes key create my-key\n```\n\u003e Note that creating a new key will fail with `key already exist` if it already exist.\n\n#### 4. Generate a DEK\nDerive a new data encryption keys (DEK).\n```sh\nkes key dek my-key\n```\nThe plaintext part of the DEK would be used by an application to encrypt some data.\nThe ciphertext part of the DEK would be stored alongside the encrypted data for future\ndecryption.\n\n\u003c/details\u003e   \n\n## Docs\n\nIf you want to learn more about KES checkout our [documentation](https://min.io/docs/kes/).\n - [Integration Guides](https://github.com/minio/kes/wiki#supported-kms-targets)\n - [Command Line](https://min.io/docs/kes/cli/#available-commands)\n - [Server API](https://min.io/docs/kes/concepts/server-api/)\n - [Go SDK](https://pkg.go.dev/github.com/minio/kes-go)\n\n### Monitoring\n\nKES servers provide an API endpoint `/v1/metrics` that observability tools, like [Prometheus](https://prometheus.io/), can scrape.  \nRefer to the [monitoring documentation](https://min.io/docs/kes/concepts/monitoring/) for how to setup and capture KES metrics.\n\nFor a graphical Grafana dashboard refer to the following [example](examples/grafana/dashboard.json).\n\n![](.github/grafana-dashboard.png)  \n\n## FAQs\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eI have received an \u003ccode\u003einsufficient permissions\u003c/code\u003e error\u003c/b\u003e\u003c/summary\u003e\n   \nThis means that you are using a KES identity that is not allowed to perform a specific operation, like creating or listing keys.\n\nThe KES [admin identity](https://github.com/minio/kes/blob/6452cdc079dfae54e4a46102cb4622c80b99776f/server-config.yaml#L8)\ncan perform any general purpose API operation. You should never experience a `not authorized: insufficient permissions`\nerror when performing general purpose API operations using the admin identity.\n\nIn addition to the admin identity, KES supports a [policy-based](https://github.com/minio/kes/blob/6452cdc079dfae54e4a46102cb4622c80b99776f/server-config.yaml#L77) access control model.\nYou will receive a `not authorized: insufficient permissions` error in the following two cases:\n1. **You are using a KES identity that is not assigned to any policy. KES rejects requests issued by unknown identities.**\n   \n   This can be fixed by assigning a policy to the identity. Checkout the [examples](https://github.com/minio/kes/blob/6452cdc079dfae54e4a46102cb4622c80b99776f/server-config.yaml#L79-L88).\n2. **You are using a KES identity that is assigned to a policy but the policy either not allows or even denies the API call.**\n   \n   In this case, you have to grant the API permission in the policy assigned to the identity. Checkout the [list of APIs](https://github.com/minio/kes/wiki/Server-API#api-overview).\n   For example, when you want to create a key you should allow the `/v1/key/create/\u003ckey-name\u003e`. The `\u003ckey-name\u003e` can either be a\n   specific key name, like `my-key-1` or a pattern allowing arbitrary key names, like `my-key*`.\n   \n   Also note that deny rules take precedence over allow rules. Hence, you have to make sure that any deny pattern does not\n   accidentally matches your API request.\n\n\u003c/details\u003e   \n   \n***\n\n## License\nUse of `KES` is governed by the AGPLv3 license that can be found in the [LICENSE](./LICENSE) file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fminio%2Fkes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fminio%2Fkes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fminio%2Fkes/lists"}