Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for AWS S3 SSE-C ("SSE Customer Keys") #973

Open
AlbinoDrought opened this issue Jul 30, 2024 · 2 comments
Open

Support for AWS S3 SSE-C ("SSE Customer Keys") #973

AlbinoDrought opened this issue Jul 30, 2024 · 2 comments

Comments

@AlbinoDrought
Copy link

boto3 supports SSE-C: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#uploading-downloading-files-using-sse-customer-keys

I don't believe all of these properties can currently be set in barman. Here's where other SSE properties are set:

barman/barman/cloud_providers/aws_s3.py

Line 175 in aaff060

if self.encryption:

Unfortunately, I'm not familiar with barman or Python. I imagine something like this:

diff --git a/barman/cloud_providers/aws_s3.py b/barman/cloud_providers/aws_s3.py
index 2e09608..d37888a 100644
--- a/barman/cloud_providers/aws_s3.py
+++ b/barman/cloud_providers/aws_s3.py
@@ -108,6 +108,7 @@ class S3CloudInterface(CloudInterface):
         delete_batch_size=None,
         read_timeout=None,
         sse_kms_key_id=None,
+        sse_customer_key=None,
     ):
         """
         Create a new S3 interface given the S3 destination url and the profile
@@ -126,6 +127,8 @@ class S3CloudInterface(CloudInterface):
           raised when waiting to read from a connection
         :param str|None sse_kms_key_id: the AWS KMS key ID that should be used
           for encrypting uploaded data in S3
+        :param str|None sse_customer_key: the AWS SSE Customer Key (SSE-C) that
+          should be used for encrypting uploaded data in S3
         """
         super(S3CloudInterface, self).__init__(
             url=url,
@@ -138,6 +141,7 @@ class S3CloudInterface(CloudInterface):
         self.endpoint_url = endpoint_url
         self.read_timeout = read_timeout
         self.sse_kms_key_id = sse_kms_key_id
+        self.sse_customer_key = sse_customer_key
 
         # Extract information from the destination URL
         parsed_url = urlparse(url)
@@ -176,6 +180,9 @@ class S3CloudInterface(CloudInterface):
             additional_args["ServerSideEncryption"] = self.encryption
         if self.sse_kms_key_id:
             additional_args["SSEKMSKeyId"] = self.sse_kms_key_id
+        if self.sse_customer_key:
+            additional_args["SSECustomerKey"] = self.sse_customer_key
+            additional_args["SSECustomerAlgorithm"] = "AES256"
         return additional_args
 
     def test_connectivity(self):

but my usage of barman also includes retrieving backups (barman-cloud-restore, etc) and I'm not sure where the key would be configured for those.
@tonobo
Copy link

tonobo commented Oct 8, 2024
edited
Loading

👍

I'd like to see something like this in cnpg

@rdegez
Copy link

rdegez commented Oct 23, 2024
edited
Loading

Indeed that would be very nice and that's a requirement if you use any object-storage provider that don't support SSE-S3 and still need encryption at rest for CNPG backups and WALs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AlbinoDrought @rdegez @tonobo