This procedure provides guidance for enabling Server-Side Encryption (SSE) using MinIO KMS as the Key Management Service (KMS). Enabling SSE on an MinIO AIStor deployment automatically encrypts the backend data for that deployment using the default encryption key selected during the setup process.

MinIO AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests. You must set up TLS before you can enable data encryption, also called server-side encryption. MinIO AIStor supports the following types of certificate signatures: self-signed internal or private certificate authorities (CAs) third-party CAs Multiple certificates are implemented with SNI to determine which certificate to return to a client based on the hostname in the request.

Overview MinIO AIStor supports keeping multiple “versions” of an object in a single bucket. When enabled, versioning allows MinIO AIStor to keep multiple iterations of the same object. Write operations which would normally overwrite an existing object instead result in the creation of a new version of the object. MinIO AIStor versioning protects from unintended overwrites and deletions while providing support for “undoing” a write operation. Bucket versioning is a prerequisite for configuring object locking and retention rules.

MinIO AIStor supports deploying resources onto macOS hosts for local development and evaluation. For the purposes of evaluation or local development, MinIO recommends using a machine released in the last 4 years with at least 8 GB of RAM. You can use any supported version of macOS. For testing or local development using a virtualized environment, use a machine with a higher number of cores and 16 or 32GB of RAM.

Install on Red Hat Enterprise Linux Deploy MinIO AIStor onto RHEL 10+

Configure load balancers and Ingress controllers for MinIO AIStor on Kubernetes. Includes examples for NGINX, HAProxy, and Traefik.

This page describes how to enable FIPS 140-3 ready cryptography for MinIO AIStor deployments on Kubernetes. When enabled, FIPS mode restricts cryptographic operations to algorithms that align with the Federal Information Processing Standards (FIPS) 140-3 program. Organizations subject to U.S. federal government compliance requirements, or those with similar regulatory needs, may require FIPS-aligned cryptography. MinIO AIStor FIPS mode uses Go’s native cryptographic module, which restricts operations to FIPS 140-3 approved algorithms. MinIO makes no statements or representations regarding FIPS 140-3 certification status. Evaluate whether this implementation meets your specific compliance requirements. Overview MinIO AIStor uses Go 1.24’s native FIPS 140-3 cryptographic module. Enable FIPS mode at runtime with the GODEBUG environment variable. There is no separate binary required.

MinIO AIStor supports publishing bucket notification events to a NATS service endpoint. Prerequisites The MinIO AIStor mc command line tool This procedure uses the mc command line tool for certain actions. See the mc Quickstart for installation instructions. Add a NATS endpoint to an AIStor Server The following procedure adds a new NATS service endpoint for supporting bucket notifications in an AIStor Server.

This page documents the steps necessary to remove a peer site from existing Site Replication configuration. Remove the peer site using MinIO AIStor Console In a browser, access the Console for one of the existing replicated sites.

For identities managed by an external OpenID Connect (OIDC) compatible provider, MinIO AIStor can use either of two methods to assign policies to the authenticated user. MinIO AIStor by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Authorization options with OIDC OIDC integration in MinIO AIStor supports either of the following authorization methods: