synapse-s3-storage-provider icon indicating copy to clipboard operation
synapse-s3-storage-provider copied to clipboard
verified publisher icon matrix-org

Add client side encryption

Open roeltm opened this issue 2 years ago • 3 comments

This PR extends the encryption options to include client side encryption. Using a static master key defined in the configuration aws-encryption-sdk library generates a key per file, encrypts the file with the generated key ~~and encrypts both file~~(edit: wrong description) and encrypts the key using the master key which gets uploaded to S3 together with the encrypted file.

Note: I'm not certain about the inclusion of the encryption module, this is a bit new for me so let me know if I can improve this.

roeltm avatar Sep 19 '23 11:09 roeltm

Can you expand a bit upon what the goal is here? How does it relate to the SSE-C support from #84? (If at all.)

clokep avatar Sep 19 '23 16:09 clokep

SSE is is server side, this is client side. Description here. A couple of difference in that:

  • The master key never leaves the server
  • Each file is encrypted using a seperate object key and the object key is encrypted using the master key. In the case of a master key rotation this would only require a re-encryption of the object key, not the entire file.

You could technically use both SSE and CSE, but that seems a bit excessive 😄

roeltm avatar Sep 20 '23 07:09 roeltm

Throwing this back on the team's pile as I've had a couple things pop up.

clokep avatar Oct 03 '23 13:10 clokep

Hi, really sorry for sitting on this for so long. We (empirically) don't have time to really accept large contributions to this project right now, especially as we don't have a good testing infrastructure for it and in general we've had issues with using boto3 and so are quite cautious.

As such I'm going to close this, rather than leaving it in limbo.

erikjohnston avatar May 22 '24 10:05 erikjohnston