Encrypting Files

Table of Contents


You can encrypt the output of the mc support inspect command for enhanced security when transmitting the files to MinIO SUBNET.


You can choose to encrypt the output zip file for enhanced security with the --encrypt flag. MinIO provides a binary to decrypt the file.

When the encryption flag, the output provides a decryption key. The output resembles the following:

$ mc support inspect --encrypt play/test123/test*/*/part.*
mc: Encrypted file data successfully downloaded as inspect.ad2b43d8.enc
mc: Decryption key: ad2b43d847fdb14e54c5836200177f7158b3f745433525f5d23c0e0208e50c9948540b54

mc: The decryption key will ONLY be shown here. It cannot be recovered.
mc: The encrypted file can safely be shared without the decryption key.
mc: Even with the decryption key, data stored with encryption cannot be accessed.

As the output says, MinIO only displays the encryption key this one time, and it cannot be displayed or recovered later.


MinIO provides a decryption tool to use on the files generated by mc support inspect.

To install the decryption tool, install Go, then run

go install github.com/minio/minio/docs/debugging/inspect@latest

After installing the inspect decryption binary, decrypt the file with the following command:

inspect -key=<decryptionKeyFromOutput> <file.enc>

Replace <decryptionKeyFromOutput> with the decryption key provided when generating the diagnosit file. Replace <file.enc> with the downloaded file name, including a relative or absolute path.

-key flag is optional. If not provided, an interactive prompt asks for the key. The file name includes a portion of the decryption key. This helps verify which key to use for the file.

The decryption process outputs an unencrypted .zip file.

This site uses cookies to improve the site experience. By continuing, you are providing consent to the use of these cookies. Please visit our privacy policy for more information.