Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for SSE in the S3 storage backend. #5996

Merged
merged 8 commits into from
Jan 26, 2019
Merged

Adding support for SSE in the S3 storage backend. #5996

merged 8 commits into from
Jan 26, 2019

Conversation

mrburrito
Copy link
Contributor

@mrburrito mrburrito commented Jan 3, 2019
edited
Loading

This adds the ability to enable SSE for the S3 storage backend, including the option to use a customer managed KMS key.

Fixes #2673

jefferai
jefferai reviewed Jan 4, 2019
View reviewed changes
website/source/docs/configuration/storage/s3.html.md Outdated
access_key = "abcd1234"
secret_key = "defg5678"
bucket = "my-bucket"
sse = "aws:kms"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like there is no use case for using AES256 as the value for SSE (given that you can't also specify a key, and if you did, it'd be sitting in plaintext). Why not juse only have kms_key_id and test whether it's empty (use default) or whether it's something custom?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could definitely do that. It would simplify things and I'm pretty sure anyone trying to add encryption on top of what vault already does is going to use KMS, unless I add the option to specify your own key material for AES encryption. Either way, I think you're right. It makes more sense to specify a key ID and set the SSE option appropriately. AES support could be added with an alternate parameter if anyone wants it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Definitely cleans the code up a good bit.

@briankassouf briankassouf added this to the 1.1 milestone Jan 7, 2019
@hashicorp-cla
Copy link

hashicorp-cla commented Jan 15, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

@chrishoffman chrishoffman modified the milestones: 1.1, 1.0.3 Jan 24, 2019
@jefferai
Copy link
Member

Looks good, thanks!

@jefferai jefferai merged commit 91a37b2 into hashicorp:master Jan 26, 2019
@lorengordon
Copy link

Nice, I see this made it into 1.0.3!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai jefferai left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.3
Development

Successfully merging this pull request may close these issues.
6 participants
@mrburrito @hashicorp-cla @jefferai @lorengordon @chrishoffman @briankassouf