minio/minio
Security
A summary of the trust boundaries inside MinIO and the controls available to operators. The canonical disclosure docs are SECURITY.md and VULNERABILITY_REPORT.md.
Trust boundaries
graph LR
EXT[External clients] -->|S3 / Admin / STS / KMS| FE[HTTP listener]
FE -->|SigV4 + IAM check| RT[Runtime]
RT -->|Storage REST + Peer REST| PEER[Peer node]
RT -->|mTLS| KES[KES]
RT -->|TLS| IDP[LDAP / OIDC / TLS-IDP]
RT -->|TLS| TARGET[Replication / Tier targets]The four boundaries are:
- External client → server. Authenticated via SigV4 (or SigV2/POST policy/JWT for legacy paths). Authorisation via IAM policy + bucket policy.
- Server ↔ peer. Authenticated via the cluster shared secret, signed on every request. TLS optional but strongly recommended.
- Server → KMS. mTLS to KES with client certs.
- Server → external systems (notification/audit/replication/tier targets). TLS where available; credentials per target.
Authentication
- SigV4 is the primary auth method; implemented in
cmd/signature-v4.go. - SigV2 kept for legacy clients (
cmd/signature-v2.go). - STS-issued credentials are short-lived and embed a session policy (
cmd/sts-handlers.go). - JWT for the embedded console session (
cmd/jwt.go). - Anonymous access only when bucket policy explicitly grants it.
Streaming SigV4 (chunked) is supported in cmd/streaming-signature-v4.go; mistakes in chunk parsing are a classic source of bugs and the file is heavily tested.
Authorisation
pkg/v3/policy (out of tree) is the IAM-policy AST. cmd/iam.go.IsAllowed walks the AST against the request Args. Deny short-circuits; Allow requires at least one match.
Bucket policies (cmd/bucket-policy.go) layer on top: bucket policy + IAM policy must both allow.
Encryption at rest
- SSE-S3, SSE-KMS, SSE-C are implemented in
internal/crypto/. - DEKs are wrapped by a KEK from
internal/kms/. - KES (or AWS KMS via KES) is the recommended production backend.
- Auto-encryption (
MINIO_KMS_AUTO_ENCRYPTION=on) forces SSE-S3 even for clients that don't ask.
Encryption in transit
- Server TLS is configured via certs in
~/.minio/certs/(or--certs-dir). - Inter-node TLS uses the same certs.
- Replication targets use TLS where the target supports it; credentials are signed per request.
Secrets handling
- The cluster config is encrypted on disk if a KMS is configured (
internal/config/crypto.go). - Root credentials are read once at startup;
cmd/server-main.godoes not re-emit them. - IAM JSON files on the object store are encrypted with the cluster KMS when one is configured.
Network exposure
- Default bind:
:9000(HTTP) and a random console port (set with--console-address). - Health and metrics endpoints are open by default; lock metrics behind SigV4 with
MINIO_PROMETHEUS_AUTH_TYPE. - The pprof endpoints are mounted under
/minio/admin/v3/...and require admin auth.
Audit
- Every request emits an audit record via
internal/logger/audit/. - Audit can fan out to webhooks, Kafka, or both.
- Records carry the auth identity, action, latency, status, and request ID.
Vulnerability process
SECURITY.md and VULNERABILITY_REPORT.md describe how to report security issues. Fixes ship as named releases tagged RELEASE.*; CVE numbers are assigned where applicable.
Hardening checklist
| Control | Setting |
|---|---|
| Enforce TLS | Provide private.key/public.crt in ~/.minio/certs/. |
| Rotate root creds | MINIO_ROOT_USER / MINIO_ROOT_PASSWORD then restart. |
| Use KES for KMS | MINIO_KMS_KES_ENDPOINT + client cert. |
| Enable auto-encryption | MINIO_KMS_AUTO_ENCRYPTION=on. |
| Use STS / external IDP | LDAP or OpenID; disable root once everything works. |
| Audit destination | MINIO_AUDIT_WEBHOOK_* / MINIO_AUDIT_KAFKA_*. |
| Lock metrics | MINIO_PROMETHEUS_AUTH_TYPE=jwt. |
| Enable Object Lock for compliance buckets | Bucket-level Object Lock with COMPLIANCE mode. |
| Enable site replication | mc admin replicate add for cross-region redundancy. |
Known footguns
- Forced unlocks (
mc admin lock force-unlock) bypass the namespace lock and can corruptxl.metaif the original holder is alive. Only use after confirming the holder is gone. MINIO_API_REQUESTS_MAXdefaults are conservative; raising it without monitoring can mask thundering-herd issues.- IAM changes propagate through the peer REST. A network partition delays the propagation; service accounts created during the partition aren't immediately usable on the other side.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.