Strong Repository encryption required for AWS S3 with KMS

[ghost]

Pod, that talk with AWS s3 by s3api or aws cli (restic) have to support KMS ServiceSideEncryption for storing backups data.

example in cli for s3 bucket encrypted by sse aws-kms

:red_circle: : aws s3 cp ./my_file s3://my_bucket/aabb FAILED :white_check_mark: : aws s3 cp ./my_file s3://my_bucket/aabb --sse aws:kms --sse-kms-key-id my_key_id SUCEEDED

Please implement the way to tell Stash/Restic about SeriveSideEncryption configuration Propose example via ENV variables, like:

• STASH_AWS_S3_SSE_OPTION = "aws:kms" | "aws:cmk"
• STASH_AWS_S3_SSE_KEY = "my_key_id"

[hossainemruz]

Stash already keep the backed up data encrypted using AES-256. Why do you think you need another encryption?

[ghost]

@hossainemruz because of Enterprise organization use KMS or CMK encryption instead of a string (password from k8s secret)

[hossainemruz]

This feature requires support from restic/restic. Stash uses that tool under the hook.

[whereisaaron]

restic uses the minio-go library for S3, so it might depend on library support of KMS server side encryption.