Does a minio server for restic require SSL?

If restic is backing up to a minio server over the internet is TLS required for security? I know restic will encrypt all the data and so no one can extract my files.

But I guess someone watching the connection can extract the extract the accesskey and secretkey. If so they can delete files in my backup.

Sound right?

I assume TLS is going to be faster than the overhead of SFTP.

That’s correct, attackers on the line can read the authentication credentials and maybe (with a bit of brute force) find the raw authentication keys. As far as I know the authentication for s3 is some kind of signature scheme, so it’s not just “send the raw authentication key via HTTP”. But it’s probably not secure, if you consider a man in the middle attacker realistic. I’d advise to use a certificate, either a self-signed one (pass --cacert cert.pem to restic to get make it verify the cert) or some officially signed one like letsencrypt.

Also, TLS+HTTP does not have more overhead than sftp, but due to the way the sftp protocol is defined I expect that TLS+HTTP performs much better. We had to jump through several hoops to make sftp perform decently (basically, sftp transfers data in chunks of 32KiB max, and each chunk must be acknowledged etc.).