Product
Hybrid Cloud Object Storage Hybrid Cloud Object Storage
Overview Architecture
Baremetal Baremetal
Overview Architecture
Erasure Code Calculator Erasure Code Calculator Reference Hardware Reference Hardware
Features
Active Active Replication Identity & Access Management Encryption Bucket & Object Immutability Bucket & Object Versioning Data Life Cycle Management & Tiering Automated Data Management Interfaces Monitoring Scalability
Native Versions
MinIO for VMware Tanzu MinIO for OpenShift MinIO for Amazon Elastic Kubernetes Service MinIO for Azure Kubernetes Service MinIO for Google Kubernetes Engine
Docs
MinIO Baremetal MinIO Object Storage for Baremetal Infrastructure MinIO Hybrid Cloud MinIO Object Storage for Kubernetes-Managed Private and Public Cloud Infrastructure MinIO for VMware Cloud Foundation MinIO Object Storage for VMware Cloud Foundation 4.2 MinIO Legacy Documentation Legacy Documentation for MinIO Object Storage
Solutions
VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKGI and how we support their Kubernetes ambitions. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Azure to AWS S3 Gateway Learn how MinIO allows Azure Blob to speak Amazon’s S3 API HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. Teradata Discover why MinIO is the Native Object Store (NOS) of choice for at-scale Teradata deployments Integrations Browse our vast portfolio of integrations
Resources Blog Pricing Download

Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

Network Encryption (TLS)

The MinIO server supports Transport Layer Security (TLS) encryption of incoming and outgoing traffic. MinIO recommends all MinIO servers run with TLS enabled to ensure end-to-end security of client-server or server-server transmissions.

TLS is the successor to Secure Socket Layer (SSL) encryption. SSL is fully deprecated as of June 30th, 2018. MinIO uses only supported (non-deprecated) TLS protocols (TLS 1.2 and later).

MinIO supports multiple TLS certificates, where the server uses Server Name Indication (SNI) to identify which certificate to use when responding to a client request.

For example, consider a MinIO deployment reachable through the following hostnames:

  • https://minio.example.net

  • https://s3.example.net

  • https://minio.internal-example.net

MinIO can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SAN). However, this would reveal the internal-example.net hostname to all clients. Instead, you can specify multiple TLS certificates to MinIO for the public and private portions of your infrastructure to mitigate the risk of leaking internal topologies via TLS SAN. When a client connects using a specific hostname, MinIO uses SNI to select the appropriate TLS certificate for that hostname.

MinIO by default searches an OS-specific directory for TLS keys and certificates. For deployments started with a custom TLS directory minio server --certs-dir, use that directory instead of the defaults.

MinIO looks for TLS keys in the following directory:

${HOME}/.minio/certs

Place the TLS certificates for the default domain (e.g. minio.example.net) in the /certs directory, with the private key as private.key and public certificate as public.crt.

Create a subfolder in /certs for each additional domain for which MinIO should present TLS certificates. While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. Place the TLS private and public key for that domain in the subfolder.

For example:

${HOME}/.minio/certs
  private.key
  public.cert
  s3-example.net/
    private.key
    public.cert
  internal-example.net/
    private.key
    public.cert

MinIO looks for TLS keys in the following directory:

${HOME}/.minio/certs

Place the TLS certificates for the default domain (e.g. minio.example.net) in the /certs directory, with the private key as private.key and public certificate as public.crt.

Create a subfolder in /certs for each additional domain for which MinIO should present TLS certificates. While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. Place the TLS private and public key for that domain in the subfolder.

For example:

${HOME}/.minio/certs
  private.key
  public.cert
  s3-example.net/
    private.key
    public.cert
  internal-example.net/
    private.key
    public.cert

MinIO looks for TLS keys in the following directory:

%%USERPROFILE%%\.minio\certs

Place the TLS certificates for the default domain (e.g. minio.example.net) in the \certs directory, with the private key as private.key and public certificate as public.crt.

Create a subfolder in \certs for each additional domain for which MinIO should present TLS certificates. While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. Place the TLS private and public key for that domain in the subfolder.

For example:

%%USERPROFILE%%\.minio\certs
  private.key
  public.cert
  s3-example.net\
    private.key
    public.cert
  internal-example.net\
    private.key
    public.cert

MinIO Console TLS Connectivity

The MinIO Console automatically connects via TLS if the MinIO server supports it. However, the Console by default attempts to connect using the IP address of the MinIO Server.

The MinIO Console may fail to connect and throw login errors if this IP address is not included as a Subject Alternative Name in any configured TLS certificate.

Set the MINIO_SERVER_URL environment variable to a resolvable DNS hostname covered by one of the configured TLS SANs. This allows the Console to properly validate the certificate and connect to MinIO.

Supported TLS Cipher Suites

MinIO supports the following TLS 1.2 and 1.3 cipher suites as supported by Go

Cipher

TLS 1.2

TLS 1.3

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Use ECDSA/EdDSA over RSA when when generating certificates

TLS certificates created using Elliptic Curve Cryptography (ECC) have lower computation requirements compared to RSA. Specifically, MinIO recommends generating ECDSA (e.g. NIST P-256 curve) or EdDSA (e.g. Curve25519) TLS private keys/certificates wherever possible.

Third-Party Certificate Authorities

MinIO by default uses the Operating System’s trusted certificate store for validating TLS certificates presented by a connecting client.

For clients connecting with certificates signed by an untrusted Certificate Authority (CA) (e.g. self-signed, private/internal, etc.), you can provide the necessary CA key for MinIO to explicitly trust:

MinIO by default searches an OS-specific directory for Certificate Authority certificates. For deployments started with a custom TLS directory minio server --certs-dir, use that directory instead of the defaults.

MinIO looks for Certificate Authority keys in the following directory:

${HOME}/.minio/certs/CAs

MinIO looks for Certificate Authority keys in the following directory:

${HOME}/.minio/certs/CAs

MinIO looks for Certificate Authority keys in the following directory:

%%USERPROFILE%%\.minio\certs\CAs

This work is licensed under a Creative Commons Attribution 4.0 International License.

©2020-Present, MinIO, Inc.

Creative Commons License