Platform support for SSE (Server-Side Encryption) #1
Comments
|
Also related to: deis/workflow#481 If encryption is supported on Minio too, then we should use it... probably optionally with a If not, we don't currently have a persistence story in Minio, so no big deal. There's really no need to store stuff encrypted in-memory. It would also be good to check on So if the user passes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I found that the s3cmd driver for AWS at least looks like it needs a parameter "
encrypt" to encrypt bucket contents, parameter should be set totrue. This is not a critical fix because the S3 bucket that is managed bywal-eis the only one that should need to be encrypted, but for my department policy will probably require that all three buckets should be encrypted.(In case somebody slips up and uploads an image or a builder artifact with a key embedded in it. The buckets will all be private, and the release artifacts also private, so we would not usually need to emergency-rotate these keys, but there is always the possibility that someone will slip up and by mistake upload a production key into a git repo or through some Dockerfile ADD, and then they will need to be scheduled to be rotated.)
So, to alleviate this, I wanted to enable encryption on all three buckets via s3-uploader, that way my InfoSec department can enforce full encryption via policy on all of our s3 buckets, and we will never accidentally store unencrypted keys.
Does anyone know about the encryption support across other platforms such as Azure, GCE, Swift? We are on AWS/S3 and I know that Encryption is an optional flag to pass with the PUT. (If we can implement that in a way that supports all existing cloud storage options, I'd expect this to be a welcome change in the trunk.)
The text was updated successfully, but these errors were encountered: