AIStor Volume Manager This set of pages describes Volume Manager, a Container Storage Interface (CSI) for direct atta...

This tutorial shows how to setup a KES server that uses Fortanix SDKMS as a persistent and secure key store: K E S C l i e n t K E S S e r v e r F o r t a n i x S D K M S Fortanix SDKMS Create Application

MinIO Sidekick Documentation MinIO Sidekick is a high-performance sidecar load balancer licensed under the MinIO Comm...

Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality for regulatory and compliance requirements around secure locking and erasure. AIStor includes support for deploying MinIO KMS as a dedicated root Key Management Service (KMS) with direct integration. MinIO KMS provides equivalent functionality to other third-party KMS solutions for managing root/external encryption keys in support of encryption operations.

Use the following checklist when planning the security configuration for a production, distributed AIStor Server. Required steps Step ☐ Define group policies either on AIStor or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID Connect). ☐ Define individual access policies on AIStor or the selected 3rd party Identity Provider. ☐ Configure AIStor to use the selected 3rd party Identity Provider. ☐ Grant firewall access for TCP traffic to the Object Store S3 API Listen Port (Default: 9000). ☐ Grant firewall access for TCP traffic to the AIStor Server console port (Recommended Default: 9443). Encryption-at-rest AIStor Object Store supports Server-Side Encryption using MinIO KMS:

The procedure on this page creates a new object lifecycle management rule that transition objects from an AIStor bucket to a remote storage tier on the Google Cloud Storage (GCS) backend. This procedure supports use cases like moving aged data to low-cost public cloud storage solutions after a certain time period or calendar date. Requirements Install and configure mc This procedure uses mc for performing operations on the AIStor cluster. Install mc on a machine with network access to both source and destination clusters. See the mc Installation Quickstart for instructions on downloading and installing mc.

You may create objects whose sole purpose is organizing a bucket. These objects end with the / character. Versioning is often not of value for these types of objects that have no data. For example, an object at ALIAS/team-bucket/reports may serve as an organization path only and not be a data object. Instead, it contains objects under it, such as ALIAS/team-bucket/reports/2025/june.csv. You may exclude folder objects to prevent ALIAS/team-bucket/reports from being versioned while allowing all objects under it to be versioned.

AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests. You must set up TLS before you can enable data encryption, also called server-side encryption. AIStor supports the following types of certificate signatures: self-signed internal or private certificate authorities (CAs) third-party CAs Multiple certificates are implemented with SNI to determine which certificate to return to a client based on the hostname in the request.

The AIStor Identity Management Plugin provides a REST interface for offloading authentication to an external identity manager with a webhook service. Client applications can use the AssumeRoleWithCustomToken STS API extension to generate access tokens for AIStor. AIStor verifies this token by making a POST request to the configured plugin endpoint and uses the returned response to determine the authentication status of the client. Configuration settings You can configure the AIStor Identity Management Plugin with the following environment variables or configuration settings:

AIStor supports deploying resources onto Kubernetes infrastructure through our first-party operator model. AIStor also provides a Red Hat OpenShift certified operator. Setting up AIStor on Kubernetes involves these steps: Install AIStor Configure load balancing Set up network encryption Set up server-side encryption Enable FIPS mode (optional, for regulatory compliance) Kubernetes API support Production Kubernetes infrastructure should run currently supported releases of the Kubernetes API.