hi Jayanth, i don't know that we have a supported way to do this. the s3-compatible method would be to copy the object onto itself without requesting server-side encryption. however, this wouldn't prevent default encryption if rgw_crypt_default_encryption_key was still enabled. furthermore, rgw has not implemented support for copying encrypted objects, so this would fail for other forms of server-side encryption too. this has been tracked in https://tracker.ceph.com/issues/23264
On Sat, Jun 17, 2023 at 12:13 PM Jayanth Reddy <[email protected]> wrote: > > Hello Users, > We've a big cluster (Quincy) with almost 1.7 billion RGW objects, and we've > enabled SSE on as per > https://docs.ceph.com/en/quincy/radosgw/encryption/#automatic-encryption-for-testing-only > (yes, we've chosen this insecure method to store the key) > We're now in the process of implementing RGW multisite, but stuck due to > https://tracker.ceph.com/issues/46062 and list at > https://lists.ceph.io/hyperkitty/list/[email protected]/thread/PQW66JJ5DCRTH5XFGTRESF3XXTOSIWFF/#43RHLUVFYNSDLZPXXPZSSXEDX34KWGJX > > Was wondering if there is a way to decrypt the objects in-place with the > applied symmetric key. I tried to remove > the rgw_crypt_default_encryption_key from the mon configuration database > (on a test cluster), but as expected, RGW daemons throw 500 server errors > as it can not work on encrypted objects. > > There is a PR being worked on about introducing the command option at > https://github.com/ceph/ceph/pull/51842 but it appears it takes some time > to be merged. > > Cheers, > Jayanth Reddy > _______________________________________________ > ceph-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
