Security Checklist
Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.
Required Steps
| Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID) | |
| Define individual access policies on MinIO or the selected 3rd party Identity Provider | |
| (For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider | |
| Grant firewall access for TCP traffic to the MinIO Server S3 API Listen Port (Default:  | |
| Grant firewall access for TCP traffic to the MinIO Server Console Listen Port (Recommended Default:  | 
Encryption-at-Rest
MinIO supports the following external KMS providers through Key Encryption Service (KES):
| Download and install the MinIO Key Encryption Service (KES) | |
| Enable TLS | |
| Generate private and public keys for KES | |
| Generate private and public keys for MinIO | |
| Create a KES configuration file and start the service | |
| Generate an external key for the key management service (KMS) | |
| Connect MinIO to the KES | |
| Enable server side encryption | 
Encryption-in-Transit (“In flight”)
| Add separate certificates and keys for each internal and external domain that accesses MinIO | |
| Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2 | |
| Configure trusted Certificate Authority (CA) store(s) | |
| Expose your Kubernetes service, such as with NGINX | |
| (Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder | 
