ceph/doc/radosgw/encryption.rst
Rahul Dev Parashar 95acefb2f5 rgw: Introduce BucketEncryption APIs to support SSE-S3 feature
This patch introduces support for 3 new BucketEncryption APIs which are listed
below and are helpful in supporting AWS SSE-S3 encryption mode.
PutBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
GetBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
DeleteBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html

The user provided parameters are parsed and stored in the bucket's extended
attributes RGW_ATTR_BUCKET_ENCRYPTION and
RGW_ATTR_BUCKET_ENCRYPTION_SSE_S3_KEY_ID.

Signed-off-by: Rahul Dev Parashar <rahul.dev@flipkart.com>
2021-07-19 12:48:14 +05:30

81 lines
3.4 KiB
ReStructuredText

==========
Encryption
==========
.. versionadded:: Luminous
The Ceph Object Gateway supports server-side encryption of uploaded objects,
with 3 options for the management of encryption keys. Server-side encryption
means that the data is sent over HTTP in its unencrypted form, and the Ceph
Object Gateway stores that data in the Ceph Storage Cluster in encrypted form.
.. note:: Requests for server-side encryption must be sent over a secure HTTPS
connection to avoid sending secrets in plaintext. If a proxy is used
for SSL termination, ``rgw trust forwarded https`` must be enabled
before forwarded requests will be trusted as secure.
.. note:: Server-side encryption keys must be 256-bit long and base64 encoded.
Customer-Provided Keys
======================
In this mode, the client passes an encryption key along with each request to
read or write encrypted data. It is the client's responsibility to manage those
keys and remember which key was used to encrypt each object.
This is implemented in S3 according to the `Amazon SSE-C`_ specification.
As all key management is handled by the client, no special configuration is
needed to support this encryption mode.
Key Management Service
======================
This mode allows keys to be stored in a secure key management service and
retrieved on demand by the Ceph Object Gateway to serve requests to encrypt
or decrypt data.
This is implemented in S3 according to the `Amazon SSE-KMS`_ specification.
In principle, any key management service could be used here. Currently
integration with `Barbican`_, `Vault`_, and `KMIP`_ are implemented.
See `OpenStack Barbican Integration`_, `HashiCorp Vault Integration`_,
and `KMIP Integration`_.
Bucket Encryption APIs
======================
Bucket Encryption APIs to support server-side encryption with Amazon
S3-managed keys (SSE-S3) or AWS KMS customer master keys (SSE-KMS).
SSE-KMS implementation via BucketEncryption APIs is not supported yet.
See `PutBucketEncryption`_, `GetBucketEncryption`_, `DeleteBucketEncryption`_
Automatic Encryption (for testing only)
=======================================
A ``rgw crypt default encryption key`` can be set in ceph.conf to force the
encryption of all objects that do not otherwise specify an encryption mode.
The configuration expects a base64-encoded 256 bit key. For example::
rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA=
.. important:: This mode is for diagnostic purposes only! The ceph configuration
file is not a secure method for storing encryption keys. Keys that are
accidentally exposed in this way should be considered compromised.
.. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
.. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
.. _Barbican: https://wiki.openstack.org/wiki/Barbican
.. _Vault: https://www.vaultproject.io/docs/
.. _KMIP: http://www.oasis-open.org/committees/kmip/
.. _PutBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
.. _GetBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
.. _DeleteBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
.. _OpenStack Barbican Integration: ../barbican
.. _HashiCorp Vault Integration: ../vault
.. _KMIP Integration: ../kmip