S3: ability to force server-side encryption

That one should be quite easy to implement: Support setting for AWS-KMS. Boto support’s it and all is need is to add KMS key id support to S# settings in seafile.conf.
Right now it is not possible to use S3 bucket encryption (beside seafile enryption), so that would be nice to implement :slight_smile:

1 Like

@daniel.pan we are interested as well in Server Side Object Storage encrpytion.

Our plattform provider (not AWS) Supports SSE-C over the nativ AWS S3 API.
Is there any Posibility to add the required settings to the seafile config.

Different S3 Encryption Types: Amazon S3 Server-Side Encryption Types - CMKs Stored in AWS KMS (SSE-KMS), Amazon S3-managed encryption keys (SSE-S3), customer-provided encryption keys (SSE-C)

Reference SSE-C: Using server-side encryption with customer-provided keys (SSE-C) - Amazon Simple Storage Service
Reference SSE-KMS: Using server-side encryption with AWS KMS keys (SSE-KMS) - Amazon Simple Storage Service

Thank you very much for check this feature.

@daniel.pan any feedback regarding SSE-C and SSE-KMS support?

Seafile supports KMS encryption out of the box. You just need to configure per AWS documentation: Using server-side encryption with AWS KMS keys (SSE-KMS) - Amazon Simple Storage Service . However, the current version of Seafile uses deprecated boto library, which has a bug (https://github.com/boto/boto/issues/3750) supporting KMS. In version 11 we’ll upgrade to boto3, which supports KMS out of the box. If you want to use KMS now, you can apply a patch to boto: check for kms, skip etag check by williamkinney · Pull Request #12 · DataDog/boto · GitHub

I had a look at SSE-C. You have to provide the encryption keys for each object. Is using the same key for all objects sufficient for your case? Using different keys for different objects requires a more advanced key management system, which is out of the scope of Seafile itself.

@Jonathan thank you very much for your reply and the clarification about SSE-KMS.

As our Cloud Provider (Exoscale) Only Support SSE-C the same key for all objects is sufficent.
Link: Simple Object Storage encryption (exoscale.com)

Looking forward to see the implementation of SSE-C in Seafile.

@Jonathan any news regarding SSE-C implementation?