Skip to content
This repository has been archived by the owner on Oct 19, 2021. It is now read-only.

support customer-supplied encryption keys #19

Merged
merged 3 commits into from
Apr 22, 2021
Merged

support customer-supplied encryption keys #19

merged 3 commits into from
Apr 22, 2021

Conversation

xxchan
Copy link
Contributor

@xxchan xxchan commented Apr 21, 2021
edited
Loading

part of beyondstorage/go-storage#523

ref: https://cloud.google.com/storage/docs/encryption

  • Google-managed encryption keys: default behaviour, no setup or configuration required
  • customer-supplied encryption keys: has the following HTTP headers:
    • x-goog-encryption-algorithm
    • x-goog-encryption-key
    • x-goog-encryption-sha256
    • copy operation also has encryption headers, but we havn't supported copy for gcs yet.
  • Customer-managed encryption keys: service agent performs encryption and decryption with customer-managed encryption keys

Xuanwo
Xuanwo reviewed Apr 21, 2021
View reviewed changes
storage.go Outdated Show resolved Hide resolved
service.toml Outdated

[infos.object.meta.sse_customer_key_sha256]
type = "string"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the content of sse_customer_key_sha256, a base64 string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

base64-encoded SHA-256 hash of the customer-supplied encryption key for the object

Xuanwo
Xuanwo reviewed Apr 21, 2021
View reviewed changes
utils.go Outdated
@@ -277,6 +277,9 @@ func (s *Storage) formatFileObject(v *gs.ObjectAttrs) (o *typ.Object, err error)
if value := v.StorageClass; value != "" {
sm[MetadataStorageClass] = value
}
if value := v.CustomerKeySHA256; value != "" {
sm[MetadataSseCustomerKeySha256] = value
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about keeping the naming style with SDK?

  • sse_customer_key => customer_key
  • sse_customer_key_sha256 => customer_key_sha256

Or the naming in GCS's docs:

  • encryption_key
  • encryption_key_sha256

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wrote a RFC about this: beyondstorage/specs#38

@xxchan
Copy link
Contributor Author

xxchan commented Apr 22, 2021

I haven't completely understand how to use gcs' KMS. It seems we don't need to do anything here?

@xxchan xxchan mentioned this pull request Apr 22, 2021
Closed
10 tasks
@Xuanwo
Copy link
Contributor

Xuanwo commented Apr 22, 2021

I haven't completely understand how to use gcs' KMS. It seems we don't need to do anything here?

Yes.

@Xuanwo Xuanwo merged commit d057556 into master Apr 22, 2021
@Xuanwo Xuanwo deleted the sse branch April 22, 2021 09:22
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Xuanwo Xuanwo Xuanwo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xxchan @Xuanwo