mirror of
https://github.com/minio/docs.git
synced 2025-07-28 19:42:10 +03:00
da199027d2
This adds content to the three stub files. Corrects the Makefile for incorrect importing of Javascript docs into the Haskell folder. Corrects community Slack URLs to point to slack.min.io.
2.5 KiB
2.5 KiB
Security Checklist
minio
Table of Contents
Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.
Required Steps
circle |
Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID) |
circle |
Define individual access policies on MinIO or the selected 3rd party Identity Provider |
circle |
(For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider |
Encryption-at-Rest <minio-sse>
MinIO supports the following external KMS providers through Key Encryption Service (KES):
Hashicorp Vault Root KMS <minio-sse-vault>AWS Root KMS <minio-sse-aws>Google Cloud Platform Secret Manager Root KMS <minio-sse-gcp>Azure Key Vault Root KMS <minio-sse-azure>
circle |
Download and install the MinIO Key Encryption Service (KES) |
circle |
Enable TLS |
circle |
Generate private and public keys for KES |
circle |
Generate private and public keys for MinIO |
circle |
Create a KES configuration file and start the service |
circle |
Generate an external key for the key management service (KMS) |
circle |
Connect MinIO to the KES |
circle |
Enable server side encryption |
Encryption-in-Transit ("In flight") <minio-tls>
circle |
Enable TLS <minio-tls> |
circle |
Add separate certificates and keys for each internal and external domain that accesses MinIO |
circle |
Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2 |
circle |
Configure trusted Certificate Authority (CA) store(s) |
circle |
Expose your Kubernetes service, such as with NGINX |
circle |
(Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder |