objstore icon indicating copy to clipboard operation
objstore copied to clipboard

Published 20 hours ago verified publisher icon thanos-io

objstore: add experimental encryption wrapper

Open MichaHoffmann opened this issue 2 years ago • 3 comments

This PR attempts to add an encryption wrapper that defers to github.com/minio/sio for encryption and decryption. This is useful when attempting to use Thanos in environments that need PCI DSS compliance.

  • [x] I added CHANGELOG entry for this change.
  • [ ] Change is not relevant to the end user.

Changes

  • added optional encryption wrapper to buckets

Verification

  • passes the acceptance tests
  • built thanos with this fork and set up receiver, querier, store and pushed metrics into receiver using telegraf. querier pointing at store eventually showed the correct metrics, i verified that the contents of object storage are encrypted too.

MichaHoffmann avatar Feb 18 '23 12:02 MichaHoffmann

README.md changes were automatically created by make lint

MichaHoffmann avatar Feb 18 '23 22:02 MichaHoffmann

Idk what block storage you are using but cortex has s3 with sse... maybe is worth looking at it:

https://github.com/cortexproject/cortex/blob/master/pkg/storage/bucket/sse_bucket_client.go

alanprot avatar Feb 21 '23 18:02 alanprot

Idk what block storage you are using but cortex has s3 with sse... maybe is worth looking at it:

https://github.com/cortexproject/cortex/blob/master/pkg/storage/bucket/sse_bucket_client.go

I wanted to add client side encryption for situations where server side encryption is not an option though

MichaHoffmann avatar Feb 22 '23 16:02 MichaHoffmann