root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/crypto
History
Andreas Auernhammer 871b450dbd
crypto: add support for decrypting SSE-KMS metadata (#11415) 
This commit refactors the SSE implementation and add
S3-compatible SSE-KMS context handling.

SSE-KMS differs from SSE-S3 in two main aspects:
 1. The client can request a particular key and
    specify a KMS context as part of the request.
 2. The ETag of an SSE-KMS encrypted object is not
    the MD5 sum of the object content.

This commit only focuses on the 1st aspect.

A client can send an optional SSE context when using
SSE-KMS. This context is remembered by the S3 server
such that the client does not have to specify the
context again (during multipart PUT / GET / HEAD ...).
The crypto. context also includes the bucket/object
name to prevent renaming objects at the backend.

Now, AWS S3 behaves as following:
 - If the user does not provide a SSE-KMS context
   it does not store one - resp. does not include
   the SSE-KMS context header in the response (e.g. HEAD).
 - If the user specifies a SSE-KMS context without
   the bucket/object name then AWS stores the exact
   context the client provided but adds the bucket/object
   name internally. The response contains the KMS context
   without the bucket/object name.
 - If the user specifies a SSE-KMS context with
   the bucket/object name then AWS again stores the exact
   context provided by the client. The response contains
   the KMS context with the bucket/object name.

This commit implements this behavior w.r.t. SSE-KMS.
However, as of now, no such object can be created since
the server rejects SSE-KMS encryption requests.

This commit is one stepping stone for SSE-KMS support.

Co-authored-by: Harshavardhana <harsha@minio.io>
 		2021-02-03 15:19:08 -08:00
..
config.go discard empty endpoint in crypto kes 2020-08-31 19:35:43 -07:00
doc.go
error.go Add crypto context errors (#8740) 2020-01-06 16:15:22 -08:00
header.go refactor cmd/crypto code for SSE handling and parsing (#11045) 2020-12-22 09:19:32 -08:00
header_test.go refactor cmd/crypto code for SSE handling and parsing (#11045) 2020-12-22 09:19:32 -08:00
help.go
json.go crypto: Escape JSON text (#10794) 2021-01-19 01:39:04 -08:00
kes.go validate storage class across pools when setting config (#11320) 2021-01-22 12:09:24 -08:00
key.go Optimize decryptObjectInfo (#10726) 2020-10-29 09:34:20 -07:00
key_test.go
kms.go crypto: Escape JSON text (#10794) 2021-01-19 01:39:04 -08:00
kms_test.go crypto: Escape JSON text (#10794) 2021-01-19 01:39:04 -08:00
legacy.go Add crypto context errors (#8740) 2020-01-06 16:15:22 -08:00
metadata.go crypto: add support for decrypting SSE-KMS metadata (#11415) 2021-02-03 15:19:08 -08:00
metadata_test.go crypto: add support for decrypting SSE-KMS metadata (#11415) 2021-02-03 15:19:08 -08:00
parse.go Add crypto context errors (#8740) 2020-01-06 16:15:22 -08:00
parse_test.go admin: new API for creating KMS master keys (#9982) 2020-07-08 18:50:43 -07:00
retry.go crypto: reduce retry delay when retrying KES requests (#10394) 2020-09-02 11:04:10 -07:00
sse-c.go refactor cmd/crypto code for SSE handling and parsing (#11045) 2020-12-22 09:19:32 -08:00
sse-kms.go crypto: add support for decrypting SSE-KMS metadata (#11415) 2021-02-03 15:19:08 -08:00
sse-s3.go crypto: add support for decrypting SSE-KMS metadata (#11415) 2021-02-03 15:19:08 -08:00
sse.go refactor cmd/crypto code for SSE handling and parsing (#11045) 2020-12-22 09:19:32 -08:00
sse_test.go
vault.go Optimize decryptObjectInfo (#10726) 2020-10-29 09:34:20 -07:00
vault_test.go