Product
Hybrid Cloud Object Storage Hybrid Cloud Object Storage
Overview Architecture
Baremetal Baremetal
Overview Architecture
Erasure Code Calculator Erasure Code Calculator Reference Hardware Reference Hardware
Features
Active Active Replication Identity & Access Management Encryption Bucket & Object Immutability Bucket & Object Versioning Data Life Cycle Management & Tiering Automated Data Management Interfaces Monitoring Scalability
Native Versions
MinIO for VMware Tanzu MinIO for OpenShift MinIO for Amazon Elastic Kubernetes Service MinIO for Azure Kubernetes Service MinIO for Google Kubernetes Engine
Docs
MinIO Baremetal MinIO Object Storage for Baremetal Infrastructure MinIO Hybrid Cloud MinIO Object Storage for Kubernetes-Managed Private and Public Cloud Infrastructure MinIO for VMware Cloud Foundation MinIO Object Storage for VMware Cloud Foundation 4.2 MinIO Legacy Documentation Legacy Documentation for MinIO Object Storage
Solutions
VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKGI and how we support their Kubernetes ambitions. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Azure to AWS S3 Gateway Learn how MinIO allows Azure Blob to speak Amazon’s S3 API HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. Teradata Discover why MinIO is the Native Object Store (NOS) of choice for at-scale Teradata deployments Integrations Browse our vast portfolio of integrations
Resources Blog Pricing Download

Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

Security

Identity and Access Management

MinIO requires clients authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Specifically, clients must authenticate by presenting a valid access key and secret key to access any S3 or MinIO administrative API, such as PUT, GET, and DELETE operations. S3-compatible SDKs, including those provided by MinIO, typically include built-in helpers for creating the necessary signatures using an access key and secret key.

MinIO supports both internal and external identity management:

IDentity Provider (IDP)

Description

MinIO Internal IDP

Provides built-in identity management functionality.

OpenID

Supports managing identities through an OpenID Connect (OIDC) compatible service.

Active Directory / LDAP

Supports managing identities through an Active Directory or LDAP service.

Once authenticated, MinIO either allows or rejects the client request depending on whether or not the authenticated identity is authorized to perform the operation on the specified resource.

MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users. By default, MinIO denies access to actions or resources not explicitly referenced in a user’s assigned or inherited policies. MinIO manages the creation and storage of policies and does not support external authorization management.

MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on IAM, IAM policies, or IAM JSON syntax.

Encryption

MinIO supports end-to-end encryption of objects over-the-wire (network encryption) and on read/write (at-rest).

Network Encryption

MinIO supports Transport Layer Security (TLS) encryption of incoming and outgoing traffic. MinIO recommends all MinIO servers run with TLS enabled to ensure end-to-end security of client-server or server-server transmissions.

TLS is the successor to Secure Socket Layer (SSL) encryption. SSL is fully deprecated as of June 30th, 2018. MinIO uses only supported (non-deprecated) TLS protocols (TLS 1.2 and later).

See Network Encryption (TLS) for more complete documentation.

Server-Side Object Encryption (SSE)

MinIO supports Server-Side Object Encryption (SSE) of objects, where MinIO uses a secret key to encrypt and store objects on disk (encryption at-rest).

MinIO supports enabling automatic SSE-KMS encryption of all objects written to a bucket using a specific External Key (EK) stored on the external KMS. Clients can override the bucket-default EK by specifying an explicit key as part of the write operation.

For buckets without automatic SSE-KMS encryption, clients can specify an EK as part of the write operation instead.

SSE-KMS provides more granular and customizable encryption compared to SSE-S3 and SSE-C and is recommended over the other supported encryption methods.

MinIO supports enabling automatic SSE-S3 encryption of all objects written to a bucket using an EK stored on the external KMS. MinIO SSE-S3 supports one EK for the entire deployment.

For buckets without automatic SSE-S3 encryption, clients can request SSE encryption as part of the write operation instead.

Clients specify an EK as part of the write operation for an object. MinIO uses the specified EK to perform SSE-S3.

SSE-C does not support bucket-default encryption settings and requires clients perform all key management operations.

MinIO SSE requires Network Encryption (TLS).

This work is licensed under a Creative Commons Attribution 4.0 International License.

©2020-Present, MinIO, Inc.

Creative Commons License