[Request] Optional S3 encryption #683
Labels
feat
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
See also cryostatio/cryostat-storage#29
See also cryostatio/cryostat-operator#959
When potentially sensitive data is pushed out to object storage (S3), Cryostat should rewrite that data stream using a strong cryptographic encryption algorithm and a user-provided encryption key. Symmetrically, when reading data streams out from storage, the same algorithm should be used to decrypt the stream, using a user-provided encryption key. Cryostat should of course use the same configuration property for both of these keys. It is up to the user to ensure that they use a stable key over time, or else old data will no longer be decryptable using the new key. This way, even if the user is using an object storage which does not offer at-rest data encryption, their data can be encrypted.
Important implementation detail note: enabling this feature will break the ability for file uploads/downloads to be done directly between the client and the object storage via presigned URLs, since that would be a data transfer directly from the client to storage - this would bypass Cryostat as an intermediary, so the encryption stage would be skipped.
Anything other information?
No response
The text was updated successfully, but these errors were encountered: