Enable Network Encryption

AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests.

You must set up TLS before you can enable data encryption, also called server-side encryption.

AIStor supports the following types of certificate signatures:

  • self-signed

  • internal or private certificate authorities (CAs)

  • third-party CAs

Multiple certificates are implemented with Server Name Indication (SNI) to determine which certificate to return to a client based on the hostname in the request.

Prerequisites

  • The appropriate X.509 certificates for your environment.

  • Read and write permissions to the appropriate directories for the user to add certificates.

Procedure

  1. Create the certificates and Certificate Authorities (CAs) your environment requires.

  2. Create the appropriate directories for your certificates.

    # example certificates path
    /opt/minio/certs
    
    # example CAs path
    /opt/minio/certs/CAs
    

    See also Certificate path.

  3. Set the ownership of these directories to minio-user:

    # as needed, similar for CAs
    sudo chown -R minio-user:minio-user /opt/minio/certs
    
  4. (required) Add certificates. At least one private.key and public.crt must be placed at the root of the certs directory, to provide the default certificate.

    /certs
      private.key
      public.crt
    
  5. (optional) Add more certificates per domain as your environment requires.

    /certs
      private.key
      public.cert # default certificate
      /object-store.example.net
        private.key
        public.cert # wildcard certificate for *.object-store.example.net
      /s3.example.net
        private.key
        public.cert # wildcard certificate for *.s3.example.net
    
  6. (optional) Add CAs.

  7. Modify the environment file at /etc/default/minio as follows.

    MINIO_OPTS="--certs-dir /opt/minio/certs"
    
    # specify https for all nodes
    MINIO_VOLUMES="https://..."
    
  8. Restart AIStor.

    mc admin service restart
    

Certificate Path

AIStor searches for certificates at either the default path, documented in the procedure on this page, or at a user-specified path.

If you work with a user-specified path, specify your path in the environment file as part of MINIO_OPTS. Or you can run:

minio server --certs-dir PATH_TO_CUSTOM_CERTS_LOCATION

Make sure the user running the AIStor service has read and write permissions to this location.

Multiple TLS Certificates

AIStor supports multiple TLS certificates using Server Name Indication (SNI) to determine which certificate to return to a client based on the hostname in the request.

If AIStor cannot find a TLS certificate whose SAN covers the client-requested hostname, AIStor uses the default certificate and attempts to establish the handshake. If no certificates match the client request hostname, AIStor returns a TLS error indicating a failure to match the hostname against a valid certificate.

Certificate Authorities

AIStore validates the TLS certificate presented by each connecting client against the host system’s trusted root certificate store.

AIStor allows up to 10 intermediate certificates from request to trusted root certificate.

If AIStor cannot match an incoming client’s TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid.

Internode connections

AIStor uses a separate configuration for internal, internode connections. When a node sends a request to another node, it includes a hash of the public key derived from the root credentials to establish trust. This requires that nodes have a direct TLS connection to all other nodes in the cluster.

If you require a reverse proxy or similar service between nodes, this may cause TLS to fail. Create an issue in SUBNET for assistance is configuring the system to work in such a scenario.

Supported TLS cipher suites

AIStor recommends generating ECDSA (for example, NIST P-256 curve) or EdDSA (for example, Curve25519) TLS private keys/certificates due to their lower computation requirements compared to RSA.

AIStor supports the following TLS 1.2 and 1.3 cipher suites as supported by Go. Recommended algorithms are marked with an asterisk (*):

All rights reserved 2024-Present, MinIO, Inc.