Enable Network Encryption

AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests.

You must set up TLS before you can enable data encryption, also called server-side encryption.

AIStor supports the following types of certificate signatures:

• self-signed

• internal or private certificate authorities (CAs)

• third-party CAs

Multiple certificates are implemented with SNI to determine which certificate to return to a client based on the hostname in the request.

This procedure uses the MinIO certgen tool to generate self-signed certificates for local testing and development purposes.

AIStor searches by default for certificates at ~/.minio/certs. When AIStor detects public.crt and private.key files in this directory, it automatically enables TLS.

If you work with a user-specified path, use the --certs-dir flag:

minio server --certs-dir /path/to/custom/certs /data

• The certgen tool for generating self-signed certificates.
• Alternatively, TLS certificates from your organization’s certificate authority.

This procedure assumes you have

• previously completed the Install AIStor procedure.
• have the necessary directories with full write access.
• have a valid AIStor License, such as the AIStor Free license.

Use certgen to generate self-signed TLS certificates for testing and development. For production environments, use certificates issued by a trusted certificate authority.

Download the certgen binary for your Mac.

curl -L https://github.com/minio/certgen/releases/latest/download/certgen-darwin-arm64 -o certgen
chmod +x certgen
sudo mv certgen /usr/local/bin/

curl -L https://github.com/minio/certgen/releases/latest/download/certgen-darwin-amd64 -o certgen
chmod +x certgen
sudo mv certgen /usr/local/bin/

Generate a certificate that includes the hostnames and IP addresses clients use to connect to AIStor.

mkdir -p ~/.minio/certs
cd ~/.minio/certs
certgen -host "127.0.0.1,localhost"

This creates public.crt and private.key files in the ~/.minio/certs directory.

For additional hostnames or IP addresses, include them as a comma-separated list:

certgen -host "127.0.0.1,localhost,minio.example.com,192.168.1.100"

AIStor automatically enables TLS when it detects public.crt and private.key files in the ~/.minio/certs directory.

minio server /tmp/minio --license ~/minio/minio.license

The output indicates TLS is enabled when the URLs use https://:

MinIO Enterprise Object Store
API: https://192.168.86.35:9000  https://127.0.0.1:9000
   RootUser: minioadmin
   RootPass: minioadmin

WebUI: https://192.168.86.35:9001 https://127.0.0.1:9001
   RootUser: minioadmin
   RootPass: minioadmin

If you need AIStor to trust certificates from additional certificate authorities, such as when connecting to MinIO KMS with self-signed certificates, place the CA certificates in the ~/.minio/certs/CAs directory.

mkdir -p ~/.minio/certs/CAs
cp /path/to/ca-certificate.crt ~/.minio/certs/CAs/

When TLS is enabled, use https:// instead of http:// when connecting to AIStor.

The mc client must trust the AIStor server’s certificate. The self-signed certificate generated by certgen acts as both the certificate and Certificate Authority (CA). Copy the certificate to the mc configuration directory:

mkdir -p ~/.mc/certs/CAs
cp ~/.minio/certs/public.crt ~/.mc/certs/CAs/

Then create an alias using HTTPS:

mc alias set myaistor https://localhost:9000 minioadmin minioadmin

Alternatively, use the --insecure flag to skip certificate verification (not recommended for production):

mc alias set myaistor https://localhost:9000 minioadmin minioadmin --insecure

Open your browser to https://localhost:9001 to access the Console.