dokploy icon indicating copy to clipboard operation
dokploy copied to clipboard
verified publisher icon Dokploy

Dokploy s3 backup with KMS encrypted bucket results in md5 hash difference

Open LeonKalt opened this issue 4 months ago • 4 comments

To Reproduce

  1. Create a bucket with KMS key encryption
  2. Add it to dokploy
  3. Try to create dokploy backup

Current vs. Expected behavior

Encryption with KMS should not cause a a failed backup

Provide environment information

Dokploy version: 0.24.8

Which area(s) are affected? (Select all that apply)

Local Development

Are you deploying the applications where Dokploy is installed or on a remote server?

Same server where Dokploy is installed

Additional context

No response

Will you send a PR to fix it?

No

LeonKalt avatar Aug 08 '25 11:08 LeonKalt

Where did you create a Backup with KMS encrypted? If you can point me step by step how to create a bucket with those settings?

Siumauricio avatar Aug 09 '25 06:08 Siumauricio

I have created an S3 bucket on AWS with a KMS key. You can create one yourself by Creating an AWS KMS key. Then creating a S3 bucket with encryption type KMS and use the key. After that configure your AWS IAM user to also allow kms:GenerateDataKey on that key.

With terraform that looks something like this:

KMS Key

data "aws_caller_identity" "current" {}

resource "aws_kms_key" "s3" {
  description         = "Key for S3 state bucket"
  enable_key_rotation = true
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action   = "kms:*"
        Resource = "*"
      }
    ]
  })
}

S3 Bucket encryption

resource "aws_s3_bucket_server_side_encryption_configuration" "s3" {
  bucket = aws_s3_bucket.s3.bucket
  rule {
    bucket_key_enabled = true
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.s3.id
      sse_algorithm     = "aws:kms"
    }
  }
}

IAM Permissions:

resource "aws_iam_user_policy" "s3_user_kms_policy" {
  name = "s3-bucket-kms-access-policy-${var.bucket_name}"
  user = aws_iam_user.s3_user.name
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "AllowKMSGenerateDataKey",
        Effect = "Allow",
        Action = [
          "kms:GenerateDataKey"
        ],
        Resource = aws_kms_key.s3.arn
      }
    ]
  })
}

LeonKalt avatar Aug 11 '25 15:08 LeonKalt

Any Updates on this?

LeonKalt avatar Oct 27 '25 13:10 LeonKalt

Hey, I don't have time to use Terraform to create a bucket in that way. If you could tell me how to create it using the UI of AWS, that would be great

Siumauricio avatar Nov 17 '25 07:11 Siumauricio