Network Encryption (TLS)
Table of Contents
MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and outgoing traffic.
SSL is Deprecated
TLS is the successor to Secure Socket Layer (SSL) encryption. SSL is fully deprecated as of June 30th, 2018.
Enabling TLS
The MinIO server searches the following directory for TLS keys and certificates:
${HOME}/.minio/certs
Where ${HOME}
is the home directory of the user running the MinIO Server process.
For deployments started with a custom TLS directory minio server --certs-dir
, use that directory instead of the defaults.
Place the TLS certificates for the default domain (e.g. minio.example.net
) in the /certs
directory, with the private key as private.key
and public certificate as public.crt
.
For example:
${HOME}/.minio/certs
private.key
public.crt
You can use the MinIO certgen to mint self-signed certificates for enabling TLS for evaluating MinIO with TLS enabled. For example, the following command generates a self-signed certificate with a set of IP and DNS SANs associated to the MinIO Server hosts:
certgen -host "localhost,minio-*.example.net"
You can place the generated public.crt
and private.key
into the /.minio/certs
directory to enable TLS for the MinIO deployment.
Applications can use the public.crt
as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation.
Multiple Domain-Based TLS Certificates
The MinIO server supports multiple TLS certificates, where the server uses Server Name Indication (SNI) to identify which certificate to use when responding to a client request. When a client connects using a specific hostname, MinIO uses SNI to select the appropriate TLS certificate for that hostname.
For example, consider a MinIO deployment reachable through the following hostnames:
https://minio.example.net
(default TLS certificates)https://s3.example.net
https://minio.internal-example.net
Create a subfolder in /certs
for each additional domain for which MinIO should present TLS certificates.
While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability.
Place the TLS private and public key for that domain in the subfolder.
For example:
${HOME}/.minio/certs
private.key
public.crt
s3-example.net/
private.key
public.crt
internal-example.net/
private.key
public.crt
While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SAN), this would reveal the internal-example.net
and s3-example.net
hostnames to any client which inspects the server certificate.
Using a TLS certificate per hostname better protects each individual hostname from discovery.
If the client-specified hostname or IP address does not match any of the configured TLS certificates, the connection typically fails with a certificate validation error.
Supported TLS Cipher Suites
MinIO recommends generating ECDSA (e.g. NIST P-256 curve) or EdDSA (e.g. Curve25519) TLS private keys/certificates due to their lower computation requirements compared to RSA.
MinIO supports the following TLS 1.2 and 1.3 cipher suites as supported by Go. The lists mark recommended algorithms with a icon:
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384