Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Source Issue Key
NXP-32760Reporter
ExalateExalateComponent Text
S3Text Fix Version
2023.17, 2025.0Fix Versions Link
Release Notes Summary
AWS S3 Client-side encryption with KMS is now possiblePriority
Low
Details
Details
Source Issue Key
NXP-32760
Reporter
Exalate
Exalate
Component Text
S3
Text Fix Version
2023.17, 2025.0
Fix Versions Link
Release Notes Summary
AWS S3 Client-side encryption with KMS is now possible
Priority
LowMore fields
More fields
More fields
Created February 3, 2025 at 8:30 PM
Updated March 28, 2025 at 2:19 PM
Resolved February 3, 2025 at 8:30 PM
Today, we only support S3 client-side encryption using a local key store (See https://doc.nuxeo.com/nxdoc/amazon-s3-online-storage/#client-side-crypto-options)
We'd like to support the client-side encryption as described in https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto-kms.html
Note that there is already a nuxeo.s3storage.crypt.kms.key nuxeo.conf property to define the KMS key ID to be used by AWS to encrypt data server-side. We'll introduce a new nuxeo.conf property nuxeo.s3storage.crypt.kms.clientside.key that should be defined to enable this client-side encryption type.
Considerations
We assume nuxeo.s3storage.crypt.kms.key and nuxeo.s3storage.crypt.kms.clientside.key are different keys.
The KMS key id (for client-side encryption) region could differ from the deployment environment or bucket one.
The nuxeo.s3storage.crypt.keystore.file property enables client-side encryption using a private keystore. It takes precedences on nuxeo.s3storage.crypt.kms.clientside.key.