[ceph-users] Disabling RGW Encryption support in Luminous
cbodley at redhat.com
Tue Oct 16 06:10:55 PDT 2018
That's not currently possible, no. And I don't think it's a good idea to
add such a feature; if the client requests that something be encrypted,
the server should either encrypt it or reject the request.
There is a config called rgw_crypt_s3_kms_encryption_keys that we use
for testing, though, which allows you to specify a mapping of kms keyids
to actual keys. If your client is using a limited number of kms keyids,
you can provide keys for them and get limited sse-kms support without
setting up an actual kms.
For example, this is our test configuration for use with s3tests:
rgw crypt s3 kms encryption keys =
Where s3tests is sending requests with header
x-amz-server-side-encryption-aws-kms-key-id: testkey1 or testkey2.
I hope that helps!
On 10/16/18 8:43 AM, Arvydas Opulskis wrote:
> got no success on IRC, maybe someone will help me here.
> After RGW upgrade from Jewel to Luminous, one S3 user started to
> receive errors from his postgre wal-e solution. Error is like this:
> "Server Side Encryption with KMS managed key requires HTTP header
> x-amz-server-side-encryption : aws:kms".
> After some reading, seems, like this client is forcing Server side
> encryption (SSE) on RGW and it is not configured. Because user can't
> disable encryption in his solution for now (it will be possible in
> future release), can I somehow disable Encryption support on Luminous
> Thank you for your insights.
> ceph-users mailing list
> ceph-users at lists.ceph.com
More information about the ceph-users