Open-Source Wikis

/

MinIO

/

Security

minio/minio

Security

A summary of the trust boundaries inside MinIO and the controls available to operators. The canonical disclosure docs are SECURITY.md and VULNERABILITY_REPORT.md.

Trust boundaries

graph LR
    EXT[External clients] -->|S3 / Admin / STS / KMS| FE[HTTP listener]
    FE -->|SigV4 + IAM check| RT[Runtime]
    RT -->|Storage REST + Peer REST| PEER[Peer node]
    RT -->|mTLS| KES[KES]
    RT -->|TLS| IDP[LDAP / OIDC / TLS-IDP]
    RT -->|TLS| TARGET[Replication / Tier targets]

The four boundaries are:

  1. External client → server. Authenticated via SigV4 (or SigV2/POST policy/JWT for legacy paths). Authorisation via IAM policy + bucket policy.
  2. Server ↔ peer. Authenticated via the cluster shared secret, signed on every request. TLS optional but strongly recommended.
  3. Server → KMS. mTLS to KES with client certs.
  4. Server → external systems (notification/audit/replication/tier targets). TLS where available; credentials per target.

Authentication

  • SigV4 is the primary auth method; implemented in cmd/signature-v4.go.
  • SigV2 kept for legacy clients (cmd/signature-v2.go).
  • STS-issued credentials are short-lived and embed a session policy (cmd/sts-handlers.go).
  • JWT for the embedded console session (cmd/jwt.go).
  • Anonymous access only when bucket policy explicitly grants it.

Streaming SigV4 (chunked) is supported in cmd/streaming-signature-v4.go; mistakes in chunk parsing are a classic source of bugs and the file is heavily tested.

Authorisation

pkg/v3/policy (out of tree) is the IAM-policy AST. cmd/iam.go.IsAllowed walks the AST against the request Args. Deny short-circuits; Allow requires at least one match.

Bucket policies (cmd/bucket-policy.go) layer on top: bucket policy + IAM policy must both allow.

Encryption at rest

  • SSE-S3, SSE-KMS, SSE-C are implemented in internal/crypto/.
  • DEKs are wrapped by a KEK from internal/kms/.
  • KES (or AWS KMS via KES) is the recommended production backend.
  • Auto-encryption (MINIO_KMS_AUTO_ENCRYPTION=on) forces SSE-S3 even for clients that don't ask.

Encryption in transit

  • Server TLS is configured via certs in ~/.minio/certs/ (or --certs-dir).
  • Inter-node TLS uses the same certs.
  • Replication targets use TLS where the target supports it; credentials are signed per request.

Secrets handling

  • The cluster config is encrypted on disk if a KMS is configured (internal/config/crypto.go).
  • Root credentials are read once at startup; cmd/server-main.go does not re-emit them.
  • IAM JSON files on the object store are encrypted with the cluster KMS when one is configured.

Network exposure

  • Default bind: :9000 (HTTP) and a random console port (set with --console-address).
  • Health and metrics endpoints are open by default; lock metrics behind SigV4 with MINIO_PROMETHEUS_AUTH_TYPE.
  • The pprof endpoints are mounted under /minio/admin/v3/... and require admin auth.

Audit

  • Every request emits an audit record via internal/logger/audit/.
  • Audit can fan out to webhooks, Kafka, or both.
  • Records carry the auth identity, action, latency, status, and request ID.

Vulnerability process

SECURITY.md and VULNERABILITY_REPORT.md describe how to report security issues. Fixes ship as named releases tagged RELEASE.*; CVE numbers are assigned where applicable.

Hardening checklist

Control Setting
Enforce TLS Provide private.key/public.crt in ~/.minio/certs/.
Rotate root creds MINIO_ROOT_USER / MINIO_ROOT_PASSWORD then restart.
Use KES for KMS MINIO_KMS_KES_ENDPOINT + client cert.
Enable auto-encryption MINIO_KMS_AUTO_ENCRYPTION=on.
Use STS / external IDP LDAP or OpenID; disable root once everything works.
Audit destination MINIO_AUDIT_WEBHOOK_* / MINIO_AUDIT_KAFKA_*.
Lock metrics MINIO_PROMETHEUS_AUTH_TYPE=jwt.
Enable Object Lock for compliance buckets Bucket-level Object Lock with COMPLIANCE mode.
Enable site replication mc admin replicate add for cross-region redundancy.

Known footguns

  • Forced unlocks (mc admin lock force-unlock) bypass the namespace lock and can corrupt xl.meta if the original holder is alive. Only use after confirming the holder is gone.
  • MINIO_API_REQUESTS_MAX defaults are conservative; raising it without monitoring can mask thundering-herd issues.
  • IAM changes propagate through the peer REST. A network partition delays the propagation; service accounts created during the partition aren't immediately usable on the other side.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – MinIO wiki | Factory