hi David,
that method of encryption based on rgw_crypt_default_encryption_key
will never be officially supported. however, support for SSE-S3
encryption [1] is nearly complete in [2] (cc Marcus), and we hope to
include that in the quincy release - and if not, we'll backport it to
quincy in an earl
On Tue, Feb 8, 2022 at 11:11 AM Casey Bodley wrote:
>
> hi David,
>
> that method of encryption based on rgw_crypt_default_encryption_key
> will never be officially supported.
to expand on why: rgw_crypt_default_encryption_key requires the key
material to be stored insecurely in ceph's config, an
Totally understand, I'm not really a fan of service-managed encryption keys
as a general rule vs. client-managed. I just thought I'd probe about
capabilities considered stable before embarking on our own work. SSE-S3
would be a reasonable middle-ground. I appreciate the PR link, that's very
helpful
On Tue, Feb 8, 2022 at 11:55 AM Stefan Schueffler
wrote:
>
> Hi Casey,
>
> great news to hear about "SSE-S3 almost implemented" :-)
>
> One question about that - will the implementation have one key per bucket, or
> one key per individual object?
>
> Amazon (as per the public available docs) is u