Security Checklist
Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.
Required Steps
Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID) |
|
Define individual access policies on MinIO or the selected 3rd party Identity Provider |
|
(For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider |
|
Grant firewall access for TCP traffic to the MinIO Server S3 API Listen Port (Default: |
|
Grant firewall access for TCP traffic to the MinIO Server Console Listen Port (Recommended Default: |
Encryption-at-Rest
MinIO supports the following external KMS providers through Key Encryption Service (KES):
Download and install the MinIO Key Encryption Service (KES) |
|
Enable TLS |
|
Generate private and public keys for KES |
|
Generate private and public keys for MinIO |
|
Create a KES configuration file and start the service |
|
Generate an external key for the key management service (KMS) |
|
Connect MinIO to the KES |
|
Enable server side encryption |
Encryption-in-Transit (“In flight”)
Add separate certificates and keys for each internal and external domain that accesses MinIO |
|
Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2 |
|
Configure trusted Certificate Authority (CA) store(s) |
|
Expose your Kubernetes service, such as with NGINX |
|
(Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder |
