Here’s the TL;DR, below are my workings. (December 2020)
If you’re trying to add a password to your minIO installation, and get the error:
Server startup failed with 'Unable to handle encrypted backend for config, iam and policies: madmin: invalid AEAD algorithm ID'
Then you’ve set the _OLD variables for access key and secret key. Unset them.
Trying to get MinIO going quick and dirty to test self-hosted S3 object storage.
It’s really easy to get going with it, and on startup it states:
Detected default credentials [..] please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY'
On MinIO admin credentials or root credentials are only allowed to be changed using ENVs
[..]
Additionally if you wish to change the admin credentials, then MinIO will automatically detect this and re-encrypt with new credentials as shown below
export MINIO_ACCESS_KEY=newminio export MINIO_SECRET_KEY=newminio123 export MINIO_ACCESS_KEY_OLD=minio export MINIO_SECRET_KEY_OLD=minio123 minio server /data
OK. Easy.
bash-4.2$ MINIO_SECRET_KEY_OLD=minioadmin MINIO_ACCESS_KEY_OLD=minioadmin \
> MINIO_SECRET_KEY=bar MINIO_ACCESS_KEY=foo \
> /usr/local/bin/minio server /var/local/minio
ERROR Unable to validate credentials inherited from the shell environment: Invalid credentials
> Please provide correct credentials
HINT:
Access key length should be at least 3, and secret key length at least 8 characters
Excellent, so those are the right levers:
bash-4.2$ MINIO_SECRET_KEY_OLD=minioadmin MINIO_ACCESS_KEY_OLD=minioadmin \ > MINIO_SECRET_KEY=bar12345 MINIO_ACCESS_KEY=foo1 \ > /usr/local/bin/minio server /var/local/minio Attempting encryption of all config, IAM users and policies on MinIO backend Server startup failed with 'Unable to handle encrypted backend for config, iam and policies: madmin: invalid AEAD algorithm ID' Server switching to safe mode Please use 'mc admin config' commands fix this issue
I’ve not found any meaningful hits for this.
I’ve definitely not already reset the credentials ; firstly:
bash-4.2$ /usr/local/bin/minio server /var/local/minio [..] Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY'
Secondly, the error in that case is:
ERROR Unable to initialize server switching into safe-mode: Unable to initialize config system: Invalid credentials
And in attempting to prove it for this post:
bash-4.2$ MINIO_SECRET_KEY=wrong123 MINIO_ACCESS_KEY=wrong /usr/local/bin/minio server /var/local/minio Attempting encryption of all config, IAM users and policies on MinIO backend [..] AccessKey: wrong SecretKey: wrong123
That’s wierd. Did I leave variables set?
bash-4.2$ set | grep MINIO bash-4.2$ /usr/local/bin/minio server /var/local/minio ERROR Unable to initialize server switching into safe-mode: Unable to handle encrypted backend for config, iam and policies: Credentials missing bash-4.2$ MINIO_SECRET_KEY=wrong123 MINIO_ACCESS_KEY=wrong /usr/local/bin/minio server /var/local/minio [..] AccessKey: wrong SecretKey: wrong123
Nope.
Seems like providing the _OLD variables on a fresh install doesn’t work.
Now I’ve got it working, I can see that this is probably what the docs actually say:
Credentials
On MinIO admin credentials or root credentials are only allowed to be changed using ENVs namely
MINIO_ACCESS_KEYandMINIO_SECRET_KEY. Using the combination of these two values MinIO encrypts the config stored at the backend.
But on initialization, it says: I have credentials. Reset them. So, I tried to. Just me?
thewatertower.org 
Thanks, that was just what I needed. I struck the same issue and didn’t find the instructions on the doco site useful.
LikeLiked by 1 person
Where you able to fix this one?
LikeLike
It’s been a while!
I generated this invalid AEAD algorithm ID error trying to set the access key and secret key on a new install.
In that situation, don’t set:
MINIO_ACCESS_KEY_OLD
MINIO_SECRET_KEY_OLD
Just specify the new values with MINIO_SECRET_KEY and MINIO_ACCESS_KEY
LikeLike
Cheers man. What I ended up doing is use someone elses instead.
LikeLike