[ceph-users] Disabling RGW Encryption support in Luminous

Casey Bodley cbodley at redhat.com
Tue Oct 16 06:10:55 PDT 2018


That's not currently possible, no. And I don't think it's a good idea to 
add such a feature; if the client requests that something be encrypted, 
the server should either encrypt it or reject the request.

There is a config called rgw_crypt_s3_kms_encryption_keys that we use 
for testing, though, which allows you to specify a mapping of kms keyids 
to actual keys. If your client is using a limited number of kms keyids, 
you can provide keys for them and get limited sse-kms support without 
setting up an actual kms.

For example, this is our test configuration for use with s3tests:

rgw crypt s3 kms encryption keys = 
testkey-1=YmluCmJvb3N0CmJvb3N0LWJ1aWxkCmNlcGguY29uZgo= 
testkey-2=aWIKTWFrZWZpbGUKbWFuCm91dApzcmMKVGVzdGluZwo=

Where s3tests is sending requests with header 
x-amz-server-side-encryption-aws-kms-key-id: testkey1 or testkey2.

I hope that helps!
Casey

On 10/16/18 8:43 AM, Arvydas Opulskis wrote:
> Hi,
>
> got no success on IRC, maybe someone will help me here.
>
> After RGW upgrade from Jewel to Luminous, one S3 user started to 
> receive errors from his postgre wal-e solution. Error is like this: 
> "Server Side Encryption with KMS managed key requires HTTP header 
> x-amz-server-side-encryption : aws:kms".
> After some reading, seems, like this client is forcing Server side 
> encryption (SSE) on RGW and it is not configured. Because user can't 
> disable encryption in his solution for now (it will be possible in 
> future release), can I somehow disable Encryption support on Luminous 
> RGW?
>
> Thank you for your insights.
>
>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


More information about the ceph-users mailing list