MinIO Network Encryption - It's All Good
Encrypting network traffic is low-hanging fruit when securing IT infrastructure. MinIO follows a pragmatic approach when it comes to TLS. It has to be secure, it has to be performant and it has to be simple.
Things that matter
In almost all cases, there are just a couple of things we need to take into consideration:
- The TLS version.
- The TLS cipher suite.
- The TLS certificate.
If there is a network encryption issue, in at least 9 out of 10 cases, it is caused by suboptimal choices for one or multiple of the above items. However, MinIO tries to make TLS a smooth experience and something that just works instead of causing headaches.
TLS Versions
MinIO only supports TLS 1.2 and 1.3. Both are enabled by default. If the S3 client supports TLS 1.3, the connection will use TLS 1.3. Older TLS versions are not supported simply because they are not secure.
In a nutshell, TLS 1.3 is faster and more secure than TLS 1.2. For example, TLS 1.3 handshakes require a single round-trip instead of two before transmitting application data. Further, TLS 1.3 cleaned up some design choices carried through previous TLS versions. It specifies only a small set of transport ciphers, all of which are using well-understood and fast authenticated encryption constructions and provide forward secrecy.
Long story short, TLS 1.2 is fine but you want TLS 1.3.
Cipher Negotiation
During the TLS handshake, MinIO and the S3 client have to agree on a transport cipher. In the case of TLS 1.3, there are no "bad choices". MinIO and the S3 client will pick the cipher that performs best on the particular hardware. Case closed.
In case of TLS 1.2, MinIO, by default, only supports a small set of transport ciphers similar to TLS 1.3. All these ciphers:
- Provide forward secrecy. They use ECHDE, a key exchange over elliptic curves, such that even if MinIO's private key gets compromised, previous network communication remains secret.
- Use optimized CPU-specific assembler implementations to spend as few CPU cycles as possible when encrypting network traffic.
- Don't leak secrets through side channels, since all cryptographic algorithms are implemented using constant time building blocks.
Most S3 clients will support at least one of these preferable ciphers. However, some older clients don't. In such a case, you can enable support for other TLS 1.2 ciphers by setting the environment variable:
MINIO_API_SECURE_CIPHERS=off
This option will simply enable support for ciphers that are still considered secure but do not provide all security and performance properties mentioned above.
X.509 Certificates
Before MinIO and the S3 client can negotiate on a transport cipher and exchange data, the MinIO server has to prove to the client that it is in fact the MinIO server the client has asked for. Therefore, MinIO has to generate either an RSA or ECDSA/EdDSA signature. Further, each MinIO node within a MinIO cluster communicates with other nodes over TLS, and therefore, has to verify such signatures as well.
One of the most common performance issues is caused by a suboptimal public/private key pair choice for the TLS certificate. In the vast majority of cases, pick an ECDSA or EdDSA key pair instead of RSA. In particular, use either a NIST P-256 or Ed25519 key pair. The reason is that MinIO's TLS stack uses optimized assembler implementations for these two curves while the RSA implementation uses big integer arithmetic. An ECDSA or EdDSA certificate usually results in significantly lower CPU usage during the TLS handshake.
FIPS 140-2
For some organizations, the cryptographic algorithms and their implementations must be approved and certified to meet certain compliance requirements. Therefore, we provide a MinIO FIPS release.
However, to put things into perspective, the regular MinIO release is not more or less secure than the FIPS version. The FIPS release simply limits the set of cryptographic algorithms and uses only certified C implementations. While we provide a FIPS version of MinIO, don't go down the FIPS rabbit hole unless you really have to.
Quick Wins with MinIO Network Encryption
To summarize, there are just a few knobs to tweak MinIO's network encryption settings - and you hardly need to use them. For greatest performance, use an ECDSA or EdDSA key pair for your TLS certificate. If your S3 client cannot connect to MinIO because they cannot agree on a common transport cipher, enable the larger cipher suite set. If you haven't enabled TLS, yet, do it - it isn't rocket science and security is beyond important.
If you have questions, we are here to help. Otherwise, enjoy your time not worrying about your TLS configuration.