Project

General

Profile

Actions
Copy link

Bug #23264

open

Server side encryption support for s3 COPY operation

Added by Casey Bodley about 6 years ago. Updated about 12 hours ago.

Status:
In Progress
Priority:
Normal
Assignee:
Marcus Watts
Target version:
-
% Done:

0%

Source:
Tags:
sse
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
54543
Crash signature (v1):
Crash signature (v2):

Description

If the source object of a copy operation is encrypted with SSE-C, we should be requiring the x-amz-copy-source-​server-side​-encryption​-customer-* headers necessary to decrypt it, and then apply the x-amz-server-side​-encryption​-customer-* headers (if given) to re-encrypt the target object.

For SSE-KMS, we should also respect the x-amz-server-side-encryption* headers when writing the target object.

Related issues 2 (0 open2 closed)

Related to rgw - Bug #23232: RGWCopyObj silently corrupts the object that was mulitpart-uploaded in SSE-CResolvedCasey Bodley03/06/2018

Actions
Has duplicate rgw - Bug #45942: [rgw] copy object on bucket with SSE-C returns NotImplementedDuplicate

Actions
Actions
Copy link
 #1

Updated by Casey Bodley about 6 years ago

  • Related to Bug #23232: RGWCopyObj silently corrupts the object that was mulitpart-uploaded in SSE-C added
Actions
Copy link
 #2

Updated by Orit Wasserman almost 6 years ago

  • Assignee set to Casey Bodley
Actions
Copy link
 #3

Updated by Casey Bodley almost 5 years ago

  • Priority changed from Normal to High
Actions
Copy link
 #4

Updated by Casey Bodley almost 5 years ago

  • Priority changed from High to Normal
Actions
Copy link
 #5

Updated by Casey Bodley almost 4 years ago

  • Has duplicate Bug #45942: [rgw] copy object on bucket with SSE-C returns NotImplemented added
Actions
Copy link
 #6

Updated by David Piper about 3 years ago

Is there any plan to fix this in upcoming releases?

Actions
Copy link
 #7

Updated by Matt Benjamin almost 2 years ago

  • Assignee changed from Casey Bodley to Marcus Watts

Does this still happen, Marcus?

Matt

Actions
Copy link
 #8

Updated by Richard Bateman over 1 year ago

It does not silently corrupt objects as far as I can tell, but it does still return a 501 NotImplemented when you try to do a CopyObject with an SSE-C encrypted object -- which is quite frustrating. I'm in the process of adding support for SSE-C to the docker registry project and because of this bug it won't work on my ceph cluster :-(

Actions
Copy link
 #9

Updated by adam madsen about 1 year ago

Does this apply to other SSE modes as well, if it is still a problem? I've run into the same error with SSE-S3 and was curious if there was progress on this or whether to pursue FDE instead.

Actions
Copy link
 #10

Updated by Casey Bodley 10 months ago

adam madsen wrote:

Does this apply to other SSE modes as well, if it is still a problem? I've run into the same error with SSE-S3 and was curious if there was progress on this or whether to pursue FDE instead.

this does apply to all flavors of server-side encryption. the low-level copy operation returns this not-implemented error if the source object uses any form of encryption

i believe Marcus does plan to implement this in the near- to medium-term

Actions
Copy link
 #11

Updated by Casey Bodley about 12 hours ago

  • Status changed from New to In Progress
  • Tags set to sse
  • Pull request ID set to 54543
Actions
Copy link

Also available in: Atom PDF