mirror of
https://github.com/minio/docs.git
synced 2025-05-28 00:41:14 +03:00
0a68ca4ff9
- Imports the limits doc from legacy into the Checklists section - Adds 500K limit to buckets in several places Closes #548
2.5 KiB
2.5 KiB
Security Checklist
minio
Table of Contents
Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.
Required Steps
circle |
Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID) |
circle |
Define individual access policies on MinIO or the selected 3rd party Identity Provider |
circle |
(For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider |
Encryption-at-Rest <minio-sse>
MinIO supports the following external KMS providers through Key Encryption Service (KES):
Hashicorp Vault Root KMS <minio-sse-vault>AWS Root KMS <minio-sse-aws>Google Cloud Platform Secret Manager Root KMS <minio-sse-gcp>Azure Key Vault Root KMS <minio-sse-azure>
circle |
Download and install the MinIO Key Encryption Service (KES) |
circle |
Enable TLS |
circle |
Generate private and public keys for KES |
circle |
Generate private and public keys for MinIO |
circle |
Create a KES configuration file and start the service |
circle |
Generate an external key for the key management service (KMS) |
circle |
Connect MinIO to the KES |
circle |
Enable server side encryption |
Encryption-in-Transit ("In flight") <minio-tls>
circle |
Enable TLS <minio-tls> |
circle |
Add separate certificates and keys for each internal and external domain that accesses MinIO |
circle |
Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2 |
circle |
Configure trusted Certificate Authority (CA) store(s) |
circle |
Expose your Kubernetes service, such as with NGINX |
circle |
(Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder |