Enable Network Encryption
AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests.
You must set up TLS before you can enable data encryption, also called server-side encryption.
AIStor supports the following types of certificate signatures:
-
self-signed
-
internal or private certificate authorities (CAs)
-
third-party CAs
Multiple certificates are implemented with SNI to determine which certificate to return to a client based on the hostname in the request.
This procedure uses the MinIO certgen tool to generate self-signed certificates for local testing and development purposes.
Prerequisites
- The certgen tool for generating self-signed certificates.
- Alternatively, TLS certificates from your organization’s certificate authority.
Procedure
This procedure assumes you have
- previously completed the Install AIStor procedure.
- have the necessary directories with full write access.
- have a valid AIStor License, such as the AIStor Free license.
1. Generate TLS certificates
Use certgen to generate self-signed TLS certificates for testing and development.
For production environments, use certificates issued by a trusted certificate authority.
Install certgen
Download the certgen binary for your platform from the releases page.
Generate certificates
Generate a certificate that includes the hostnames and IP addresses clients use to connect to AIStor.
mkdir -p $HOME/minio/certs
cd $HOME/minio/certs
certgen -host "127.0.0.1,localhost"
This creates public.crt and private.key files in the $HOME/minio/certs directory.
For additional hostnames or IP addresses, include them as a comma-separated list:
certgen -host "127.0.0.1,localhost,minio.example.com,192.168.1.100"
2. Run AIStor with TLS
Mount the certificate directory to the container to enable TLS. The following examples use the same directory structure as the installation procedure.
The --certs-dir flag tells AIStor where to find the TLS certificates.
AIStor automatically enables TLS when it detects public.crt and private.key files in the specified directory.
3. Trust additional certificate authorities
If you need AIStor to trust certificates from additional certificate authorities, such as when connecting to MinIO KMS with self-signed certificates, place the CA certificates in the $HOME/minio/certs/CAs directory.
mkdir -p $HOME/minio/certs/CAs
cp /path/to/ca-certificate.crt $HOME/minio/certs/CAs/
When you start the container, the CA certificates are mounted to /etc/minio/certs/CAs and automatically trusted by AIStor.
4. Connect using HTTPS
When TLS is enabled, use https:// instead of http:// when connecting to AIStor.
Configure mc to trust the certificate
The mc client must trust the AIStor server’s certificate.
The self-signed certificate generated by certgen acts as both the certificate and Certificate Authority (CA).
Copy the certificate to the mc configuration directory:
mkdir -p ~/.mc/certs/CAs
cp $HOME/minio/certs/public.crt ~/.mc/certs/CAs/
Then create an alias using HTTPS:
mc alias set myaistor https://localhost:9000 minioadmin minioadmin
Alternatively, use the --insecure flag to skip certificate verification (not recommended for production):
mc alias set myaistor https://localhost:9000 minioadmin minioadmin --insecure
Access the Console
Open your browser to https://localhost:9001 to access the Console.