versity
[Feature] - Support for SSE-C in S3 Proxy Backend
Describe the solution you'd like
Please add support for SSE-C In The S3 Backend: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
@BEBU88 would you want the customer provided keys to be an option provided for the gateway, or would you like these to come from the client directly?
@benmcclelland I would like this to be an option provided from the gateway. My usecase is to send S3 requests to the gateway and forward them to an public S3 provider with SSE-C encryption.
@BEBU88 Is your usecase about sending the SSE-C headers to gateway, which will proxy them to your public S3 provider, which will then handle the encryption. So the gateway will only serve as a proxy layer ?
@niksis02 My usecase is about sending requests without SSE-C headers to the gateway which will then add those headers and send them to my public provider.
@BEBU88 as long as we are going to proceed with stateful approach(from the gateway perspective), we should think of a secure mechanism to store/get the encryption keys. Do you have any ideas to share ?
@niksis02 Maybe we could store them in a docker secret?
I think options would be either have them specifically configured through option/env var, or we could have some configuration specified to retrieve these from a key server. The key server is more secure and flexible (can have different keys per bucket, per object, etc), but also a bit more complicated to deploy. The option/env var approach would be easier to add and deploy, but would be potentially insecure and less flexible with the keys provided to all backend requests.