Enable Network Encryption
AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests.
You must set up TLS before you can enable data encryption, also called server-side encryption.
AIStor supports the following types of certificate signatures:
-
self-signed
-
internal or private certificate authorities (CAs)
-
third-party CAs
Multiple certificates are implemented with Server Name Indication (SNI) to determine which certificate to return to a client based on the hostname in the request.
Prerequisites
-
The appropriate X.509 certificates for your environment.
-
Read and write permissions to the appropriate directories for the user to add certificates.
Procedure
-
Create the certificates and Certificate Authorities (CAs) your environment requires.
-
Create the appropriate directories for your certificates.
# example certificates path /opt/minio/certs # example CAs path /opt/minio/certs/CAsSee also Certificate path.
-
Set the ownership of these directories to
minio-user:# as needed, similar for CAs sudo chown -R minio-user:minio-user /opt/minio/certs -
(required) Add certificates. At least one
private.keyandpublic.crtmust be placed at the root of thecertsdirectory, to provide the default certificate./certs private.key public.crt -
(optional) Add more certificates per domain as your environment requires.
/certs private.key public.cert # default certificate /object-store.example.net private.key public.cert # wildcard certificate for *.object-store.example.net /s3.example.net private.key public.cert # wildcard certificate for *.s3.example.net -
(optional) Add CAs.
-
Modify the environment file at
/etc/default/minioas follows.MINIO_OPTS="--certs-dir /opt/minio/certs" # specify https for all nodes MINIO_VOLUMES="https://..." -
Restart AIStor.
mc admin service restart
Certificate Path
AIStor searches for certificates at either the default path, documented in the procedure on this page, or at a user-specified path.
If you work with a user-specified path, specify your path in the environment file as part of MINIO_OPTS.
Or you can run:
minio server --certs-dir PATH_TO_CUSTOM_CERTS_LOCATION
Make sure the user running the AIStor service has read and write permissions to this location.
Multiple TLS Certificates
AIStor supports multiple TLS certificates using Server Name Indication (SNI) to determine which certificate to return to a client based on the hostname in the request.
If AIStor cannot find a TLS certificate whose SAN covers the client-requested hostname, AIStor uses the default certificate and attempts to establish the handshake. If no certificates match the client request hostname, AIStor returns a TLS error indicating a failure to match the hostname against a valid certificate.
Certificate Authorities
AIStore validates the TLS certificate presented by each connecting client against the host system’s trusted root certificate store.
AIStor allows up to 10 intermediate certificates from request to trusted root certificate.
If AIStor cannot match an incoming client’s TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid.
Internode connections
AIStor uses a separate configuration for internal, internode connections. When a node sends a request to another node, it includes a hash of the public key derived from the root credentials to establish trust. This requires that nodes have a direct TLS connection to all other nodes in the cluster.
If you require a reverse proxy or similar service between nodes, this may cause TLS to fail. Create an issue in SUBNET for assistance is configuring the system to work in such a scenario.
Supported TLS cipher suites
AIStor recommends generating ECDSA (for example, NIST P-256 curve) or EdDSA (for example, Curve25519) TLS private keys/certificates due to their lower computation requirements compared to RSA.
AIStor supports the following TLS 1.2 and 1.3 cipher suites as supported by Go. Recommended algorithms are marked with an asterisk (*):