Dear Casey
Thank you for the update and bug report.
Best Regards
Francois Scheurer
From: Casey Bodley
Sent: Tuesday, June 11, 2019 4:53 PM
To: Scheurer François; ceph-users@lists.ceph.com
Subject: Re: is rgw crypt default encryption key long term
The server side encryption features all require special x-amz headers on
write, so they only apply to our S3 apis. But objects encrypted with
SSE-KMS (or a default encryption key) can be read without any x-amz
headers, so swift should be able to decrypt them too. I agree that this
is a bug and
Hello Casey
We found something weird during our testing of the
rgw_crypt_default_encryption_key=""xxx" parameter.
s3cms behaves like expected:
s3cmd is then always writing encrypted objects
s3cmd can read encrypted and unencrypted objects
but swift does not support encryption:
swift can read
Am 5/28/19 um 5:37 PM schrieb Casey Bodley:
On 5/28/19 11:17 AM, Scheurer François wrote:
Hi Casey
I greatly appreciate your quick and helpful answer :-)
It's unlikely that we'll do that, but if we do it would be announced
with a long deprecation period and migration strategy.
Fine, just
Hello Casey
Thank you for your reply.
To close this subject, one last question.
Do you know if it is possible to rotate the key defined by
"rgw_crypt_default_encryption_key=" ?
Best Regards
Francois Scheurer
From: Casey Bodley
Sent: Tuesday, May
On 5/28/19 11:17 AM, Scheurer François wrote:
Hi Casey
I greatly appreciate your quick and helpful answer :-)
It's unlikely that we'll do that, but if we do it would be announced with a
long deprecation period and migration strategy.
Fine, just the answer we wanted to hear ;-)
Hi Casey
I greatly appreciate your quick and helpful answer :-)
>It's unlikely that we'll do that, but if we do it would be announced with a
>long deprecation period and migration strategy.
Fine, just the answer we wanted to hear ;-)
>However, I would still caution against using either as
Hi François,
Removing support for either of rgw_crypt_default_encryption_key or
rgw_crypt_s3_kms_encryption_keys would mean that objects encrypted with
those keys would no longer be accessible. It's unlikely that we'll do
that, but if we do it would be announced with a long deprecation
Dear Casey, Dear Ceph Users
The following is written in the radosgw documentation
(http://docs.ceph.com/docs/luminous/radosgw/encryption/):
rgw crypt default encryption key =
4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA=
Important: This mode is for diagnostic purposes only! The ceph
