# MinIO AIStor KES RELEASE.2026-03-14T05-28-50Z Released: 2026-03-14 This release introduces encrypted file system storage for at-rest key encryption, adds JSON log format support for improved observability integration, and includes important fixes for key listing pagination and AWS Secrets Manager configuration flexibility. The release also upgrades to Go v1.26.1 with updated linting rules. --- ## Downloads ### Binary Downloads | Platform | Architecture | Download | | -------- | ------------ | ------------------------------------------------------------------------------ | | Linux | amd64 | [kes](https://dl.min.io/aistor/kes/release/linux-amd64/kes) | | Linux | arm64 | [kes](https://dl.min.io/aistor/kes/release/linux-arm64/kes) | | macOS | arm64 | [kes](https://dl.min.io/aistor/kes/release/darwin-arm64/kes) | | macOS | amd64 | [kes](https://dl.min.io/aistor/kes/release/darwin-amd64/kes) | | Windows | amd64 | [kes.exe](https://dl.min.io/aistor/kes/release/windows-amd64/kes.exe) | ### FIPS Binaries | Platform | Architecture | Download | | -------- | ------------ | ------------------------------------------------------------------------------ | | Linux | amd64 | [kes.fips](https://dl.min.io/aistor/kes/release/linux-amd64/kes.fips) | ### Container Images ```bash # Standard docker pull quay.io/minio/aistor/kes:RELEASE.2026-03-14T05-28-50Z podman pull quay.io/minio/aistor/kes:RELEASE.2026-03-14T05-28-50Z # FIPS docker pull quay.io/minio/aistor/kes:RELEASE.2026-03-14T05-28-50Z.fips podman pull quay.io/minio/aistor/kes:RELEASE.2026-03-14T05-28-50Z.fips ``` --- ## New Features - **Encrypted File System Store**: Added a new `efs` (encrypted filesystem) keystore backend that encrypts keys at rest using a master key with AES-GCM or ChaCha20 encryption. This provides an additional layer of security for filesystem-based deployments where keys need to be protected on disk. Configure via the new `keystore.efs` section in `server-config.yaml` with `path`, `key`, and `cipher` options (#31) - **JSON Log Format**: MinIO AIStor KES now supports configurable log output format. Set `log.format: JSON` in your server configuration to output structured JSON logs for both error and audit events, enabling seamless integration with log aggregation systems like ELK, Splunk, and Grafana Loki. The default remains plain text format. Log format can be updated dynamically via config reload (#28) --- ## Improvements - **AWS Secrets Manager Endpoint Now Optional**: The `endpoint` field in the AWS Secrets Manager keystore configuration is no longer required. When omitted, the AWS SDK uses its default regional endpoints, simplifying configuration for standard AWS deployments and reducing boilerplate in config files (#29) - **Go v1.26.1 Upgrade**: Updated the Go toolchain to v1.26.1, bringing improved performance, security patches, and updated linting rules across the codebase (#36) --- ## Bug Fixes - **Key Listing Pagination**: Fixed off-by-one errors in the key listing logic that could return incorrect results when listing keys with a prefix and a limit. The `List` operation now correctly returns exactly the first `n` matching names and the proper continuation token for paginated queries (#30) --- ## Security & Compliance ### Software Bill of Materials (SBOM) This release includes comprehensive SBOM documentation in multiple formats: - [SPDX JSON](sbom-RELEASE.2026-03-14T05-28-50Z.spdx.json) - Standard SBOM format - [CycloneDX JSON](sbom-RELEASE.2026-03-14T05-28-50Z.cyclonedx.json) - Security scanner compatible - [Go Modules](go-modules-RELEASE.2026-03-14T05-28-50Z.txt) - Human-readable dependency list SBOM files document all direct and transitive dependencies for security auditing and compliance requirements. --- ## Upgrade Instructions For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-key-encryption-service/upgrade-aistor-kes/ Platform-specific upgrade guides: - **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-key-encryption-service/upgrade-aistor-kes/upgrade-aistor-linux/ - **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-key-encryption-service/upgrade-aistor-kes/upgrade-aistor-kubernetes-helm/ ### New Configuration Options - `keystore.efs.path` - Directory path for encrypted filesystem keystore - `keystore.efs.key` - Path to the master encryption key file - `keystore.efs.cipher` - Encryption algorithm (`AES256` or `ChaCha20`) - `log.format` - Log output format (`Text` or `JSON`, default: `Text`) ### Support For enterprise support: - SUBNET Support: https://subnet.min.io - Documentation: https://docs.min.io