Product
MinIO Enterprise Object Store
Overview Architecture
Features
MinIO for Public Cloud
AWS GCS Azure
MinIO for Private Cloud
OpenShift SUSE Rancher Tanzu
MinIO for Baremetal
Linux and Windows
Determine your raw and usable capacity Erasure Code Calculator MinIO's Recommended Hardware Configuration Reference Hardware
Solutions
AI Storage Object storage is powering the AI revolution. Learn how MinIO is leading the AI storage market through performance at scale. Modern Datalakes Modern, multi-engine datalakes depend on object stores that deliver performance at scale. Learn more about this core MinIO use case. Hybrid Cloud Effective multi-cloud storage strategies rely on utilizing architecture and tools that can function seamlessly across diverse environments. Equinix Repatriate your data onto the cloud you control with MinIO on Equinix to lower costs while maintaining public cloud adjacency. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. Snowflake Query and analyze multiple data sources, including streaming data, residing on MinIO with the Snowflake Data Cloud. No need to move the data, just query using SnowSQL. SQL Server Discover how to pair SQL Server 2022 with MinIO to run queries on your data on any cloud - without having to move it. HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions. Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Integrations Browse our vast portfolio of integrations.
Community
GitHub Join our GitHub open source community: explore, experiment, ask questions, and contribute. Slack Channel The MinIO Community Slack provides an open forum for discussing topics related to MinIO. All support is provided on a best-effort basis.
Docs Blog Resources Training Partner Pricing Download

MinIO Network Encryption - It's All Good

Andreas Auernhammer Andreas Auernhammer on Security
MinIO Network Encryption - It's All Good

Encrypting network traffic is low-hanging fruit when securing IT infrastructure. MinIO follows a pragmatic approach when it comes to TLS. It has to be secure, it has to be performant and it has to be simple.

Things that matter

In almost all cases, there are just a couple of things we need to take into consideration:

  • The TLS version.
  • The TLS cipher suite.
  • The TLS certificate.

If there is a network encryption issue, in at least 9 out of 10 cases, it is caused by suboptimal choices for one or multiple of the above items. However, MinIO tries to make TLS a smooth experience and something that just works instead of causing headaches.

TLS Versions

MinIO only supports TLS 1.2 and 1.3. Both are enabled by default. If the S3 client supports TLS 1.3, the connection will use TLS 1.3. Older TLS versions are not supported simply because they are not secure.

In a nutshell, TLS 1.3 is faster and more secure than TLS 1.2. For example, TLS 1.3 handshakes require a single round-trip instead of two before transmitting application data. Further, TLS 1.3 cleaned up some design choices carried through previous TLS versions. It specifies only a small set of transport ciphers, all of which are using well-understood and fast authenticated encryption constructions and provide forward secrecy.

Long story short, TLS 1.2 is fine but you want TLS 1.3.

Cipher Negotiation

During the TLS handshake, MinIO and the S3 client have to agree on a transport cipher. In the case of TLS 1.3, there are no "bad choices". MinIO and the S3 client will pick the cipher that performs best on the particular hardware. Case closed.

In case of TLS 1.2, MinIO, by default, only supports a small set of transport ciphers similar to TLS 1.3. All these ciphers:

  • Provide forward secrecy. They use ECHDE, a key exchange over elliptic curves, such that even if MinIO's private key gets compromised, previous network communication remains secret.
  • Use optimized CPU-specific assembler implementations to spend as few CPU cycles as possible when encrypting network traffic.
  • Don't leak secrets through side channels, since all cryptographic algorithms are implemented using constant time building blocks.

Most S3 clients will support at least one of these preferable ciphers. However, some older clients don't. In such a case, you can enable support for other TLS 1.2 ciphers by setting the environment variable:

MINIO_API_SECURE_CIPHERS=off

This option will simply enable support for ciphers that are still considered secure but do not provide all security and performance properties mentioned above.

X.509 Certificates

Before MinIO and the S3 client can negotiate on a transport cipher and exchange data, the MinIO server has to prove to the client that it is in fact the MinIO server the client has asked for. Therefore, MinIO has to generate either an RSA or ECDSA/EdDSA signature. Further, each MinIO node within a MinIO cluster communicates with other nodes over TLS, and therefore, has to verify such signatures as well.

One of the most common performance issues is caused by a suboptimal public/private key pair choice for the TLS certificate. In the vast majority of cases, pick an ECDSA or EdDSA key pair instead of RSA. In particular, use either a NIST P-256 or Ed25519 key pair. The reason is that MinIO's TLS stack uses optimized assembler implementations for these two curves while the RSA implementation uses big integer arithmetic. An ECDSA or EdDSA certificate usually results in significantly lower CPU usage during the TLS handshake.

FIPS 140-2

For some organizations, the cryptographic algorithms and their implementations must be approved and certified to meet certain compliance requirements. Therefore, we provide a MinIO FIPS release.

However, to put things into perspective, the regular MinIO release is not more or less secure than the FIPS version. The FIPS release simply limits the set of cryptographic algorithms and uses only certified C implementations. While we provide a FIPS version of MinIO, don't go down the FIPS rabbit hole unless you really have to.

Quick Wins with MinIO Network Encryption

To summarize, there are just a few knobs to tweak MinIO's network encryption settings - and you hardly need to use them. For greatest performance, use an ECDSA or EdDSA key pair for your TLS certificate. If your S3 client cannot connect to MinIO because they cannot agree on a common transport cipher, enable the larger cipher suite set. If you haven't enabled TLS, yet, do it - it isn't rocket science and security is beyond important.

If you have questions, we are here to help. Otherwise, enjoy your time not worrying about your TLS configuration.

Previous Post Next Post
S3 Select Security Modern Data Lakes Apache Presto SQL Performance S3 Brand/Design Golang Programming Cloud Computing Microservices Docker AWS Kubernetes Apache Spark Open Source Benchmarks Integrations SUBNET Edge Computing Sidekick Secure-by-Design Splunk Veeam Intel Apache Nifi Immutability Software Defined Storage VMware Apache Arrow Hybrid Cloud Red Hat OpenShift Multicloud Scalability Cloud Field Day Cloud Native Apache Kafka Architect's Guide Awards Operator's Guide Security Advisory AI/ML AGPLv3 Apache Hadoop SFD Azure GCP Observability Analytics R H20 DirectPV DevOps Apache Iceberg Apache Hudi YouTube Summaries EKS Elastic Load Balancers CI/CD Object Storage Compliance opentelemetry BC/DR Storage Newsletter Predictions Best Practices Dremio New MinIO Features partners Small Files Databases DuckDB PostgreSQL Delta Lake Cloud Repatriation Python Object Lambdas Data Pipelines Cloud Operating Model Webhook ClickHouse Vector Database Events Value Engineering Change Data Capture Enterprise Object Store GitOps Case Study Equinix