Andreas Auernhammer

@allanrogerr @shtripat Consider `kes server --dev` or see https://pkg.go.dev/github.com/minio/kes#Server You can start a KES server like a Go HTTP server. Both are there to simplify writting tests and make them...

Thank you for the detailed description @frogu - I will look into this. Your proposed configuration option for specifying the certificate encoding seems reasonable. I will do some additional analysis...

cc @ravindk89 - This will require a doc update

> Do we persist the random value to file somewhere, or is it kept solely as a config option (thus solving the plaintext problem) Nothing is persistent here. What happens...

Technically, we could use the same approach for all root credentials, not just when they're not set manually. (If KMS is present, use the HMAC API to generate them automatically)...

>since we only compare checksums within a single part (and not across parts, objects or let alone minio servers), if a bit rot would result in an equivalent checksum to...

>I went back to my Excel sheet and did some extrapolations as to when a certain bit length would get a collision with the following results in terms of number...

@beep-beep-beep-boop I cannot reproduce this. ``` » echo 12345678 | minisign -G -s my-key.key -p my-key.pub Deriving a key from the password in order to encrypt the secret key... done...

This issue is caused by the line: https://github.com/etcd-io/etcd/blob/c983744ac20103fe1339766cbaa5f5a5c41d5581/server/storage/wal/walpb/record.pb.go#L119 Newer versions of protoc don't generate such calls. This is not related to the `package` directive in the .proto file. It seems...

> I think the certificate generation could and likely should be done by default whenever SSE (Server Side Encryption) is enabled. I know it is currently enabled based on globalIsSSL...