Authorization and Authentication

MinIO supports several mechanisms for identity management, both internal and external. In the next example, I use the built-in identity management identity provider (IDP). In this case, you should create a new user, either in the console or with the mc utility.

For example, to add user 8pu2T6NBB6 for the deployment mycluster1 defined earlier with the secret key SPKKwJFtKl , you would use the command:

mc admin user add mycluster1 8pu2T6NBB6 SPKKwJFtKl

To assign the built-in readwrite policy to the new user, enter:

mc admin policy set mycluster1 readwrite user=8pu2T6NBB6

Later, I will show you how to use familiar S3 bucket policies.

Note that, by default, MinIO has a root user with its access and secret keys controlled by the environment variables:

MINIO_ROOT_USER
MINIO_ROOT_PASSWORD

If you decide to use them, make sure to use long random strings and rotate them often. Nevertheless, the MinIO team discourages using the root user credentials and recommends creating users with reasonably limited access rights, as shown earlier.

Encryption

Ensuring data security is critical when deploying any storage solution, and MinIO provides built-in features for encrypting data both at rest and in transit. Encrypting data in transit ensures that your data is secure while being transferred between clients and the MinIO server. The most common method to achieve this is by using Transport Layer Security (TLS) encryption.

To enable TLS for your MinIO deployment, you need to obtain a valid TLS certificate from a trusted certificate authority (CA). Alternatively, you can generate a self-signed certificate for testing purposes with tools such as OpenSSL or Let's Encrypt. Keep in mind that self-signed certificates might not be suitable for production environments because of potential trust issues.

To configure MinIO with your TLS certificate and private key, you need to place both files (i.e., cert.pem and private.key) on the MinIO server. Next, set the following environment variables when starting the MinIO server:

MINIO_SERVER_CERT_FILE: /<path to>/cert.pem
MINIO_SERVER_KEY_FILE: /<path to>/private.key

Make sure to replace <path to> with the correct paths to your certificate and private key files.

Encryption at rest is equally important: It protects your data from unauthorized access while it is stored on disk. MinIO supports three server-side encryption (SSE) methods:

• server-side encryption with per-bucket keys (SSE-KMS),
• server-side encryption with per-deployment keys (SSE-S3), and
• server-side encryption with client-manged keys (SSE-C).

You can find comprehensive documentation about these methods on the MinIO website [2].

Roughly, you have two basic approaches to managing encryption keys: They can be stored externally by a back-end service such as Vault, or they can be managed by the client. The following key management service (KMS) back ends are currently supported:

• AWS Secrets Manager
• Google Cloud Secret Manager
• Azure Key Vault
• HashiCorp Vault

The last option can be installed on-premises or on any public or private cloud and plays nicely with MinIO. If you want to use externally managed keys, you need to install the Key Encryption Service (KES) [3] utility first. Make sure you read the relevant documentation thoroughly because you can inadvertently lose access to your data if you make a mistake at this point.

General Security Considerations

Keeping your MinIO server and client up to date is essential for maintaining security and benefiting from the latest features and improvements. Regularly check for updates and apply them as needed. To update the server, use the command:

mc admin update mycluster1

In addition to securing your MinIO deployment, it's crucial to implement network security measures to protect your infrastructure. As a rule, MinIO should be deployed behind a firewall, and access should be limited to specific IP addresses or networks. You can also implement an intrusion detection and prevention system (IDPS) to monitor network activity and identify potential security threats.