Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Optional S3 encryption #683

Open
andrewazores opened this issue Oct 7, 2024 · 0 comments
Open

[Request] Optional S3 encryption #683

andrewazores opened this issue Oct 7, 2024 · 0 comments
Labels
feat New feature or request

Comments

@andrewazores
Copy link
Member

andrewazores commented Oct 7, 2024

Describe the feature

See also cryostatio/cryostat-storage#29
See also cryostatio/cryostat-operator#959

When potentially sensitive data is pushed out to object storage (S3), Cryostat should rewrite that data stream using a strong cryptographic encryption algorithm and a user-provided encryption key. Symmetrically, when reading data streams out from storage, the same algorithm should be used to decrypt the stream, using a user-provided encryption key. Cryostat should of course use the same configuration property for both of these keys. It is up to the user to ensure that they use a stable key over time, or else old data will no longer be decryptable using the new key. This way, even if the user is using an object storage which does not offer at-rest data encryption, their data can be encrypted.

Important implementation detail note: enabling this feature will break the ability for file uploads/downloads to be done directly between the client and the object storage via presigned URLs, since that would be a data transfer directly from the client to storage - this would bypass Cryostat as an intermediary, so the encryption stage would be skipped.

Anything other information?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant