[ https://issues.apache.org/jira/browse/OAK-10093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17732971#comment-17732971 ]
Marcel Reutegger edited comment on OAK-10093 at 6/15/23 10:02 AM: ------------------------------------------------------------------ AFAIU [direct binary access|https://jackrabbit.apache.org/oak/docs/features/direct-binary-access.html] feature won't work with customer provided keys. Pre-signed URIs can be created, but when you use such a signed URI you need to know the customer provided key. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#ssec-and-presignedurl The primary use for direct binary access is to return a pre-signed URI to the browser and let it download a binary directly from blob storage. This won't work with a customer provided key, because the browser doesn't know and must not have the key. I think this should be mentioned somewhere in the Oak documentation. Probably on https://jackrabbit.apache.org/oak/docs/features/direct-binary-access.html Maybe Oak should even refuse to hand out a pre-signed URI in this case. A client won't be able to do something useful with it anyway. was (Author: mreutegg): AFAIU [direct binary access|https://jackrabbit.apache.org/oak/docs/features/direct-binary-access.html] feature won't work with customer provided keys. Pre-signed URIs can be created, but when you use such a signed URI you need to know the customer provided key. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#ssec-and-presignedurl The primary use for direct binary access is to return a pre-signed URI to the browser and let it download a binary directly from blob storage. This won't work with a customer provided key, because the browser doesn't know and must not have the key. I think this should be mentioned somewhere in the Oak documentation. > Oak Blob Store support for SSE-C for AWS > ---------------------------------------- > > Key: OAK-10093 > URL: https://issues.apache.org/jira/browse/OAK-10093 > Project: Jackrabbit Oak > Issue Type: New Feature > Reporter: Rishabh Kumar > Assignee: Rishabh Daim > Priority: Major > > We need to provide the support for Customer Managed keys for Oak Blob Store > for AWS. -- This message was sent by Atlassian Jira (v8.20.10#820010)