Unable to upload to S3 bucket which requires encryption

[jason-riddle]

Looking in upload.go, it doesn't look like there is a way to specify that server side encryption is required for uploading to an S3 bucket.

https://github.com/jietang/sneaker/blob/3fcd6e491b55199d799712c6aafe1d4de007d539/upload.go#L26-L32

&s3.PutObjectInput{
    ContentLength: aws.Int64(int64(len(ciphertext))),
    ContentType:   aws.String(contentType),
    Bucket:        aws.String(m.Bucket),
    Key:           aws.String(fpath.Join(m.Prefix, path)),
    Body:          bytes.NewReader(ciphertext),
},

The param required would look something like this.

http://docs.aws.amazon.com/sdk-for-go/api/service/s3/#example_S3_PutObject

ServerSideEncryption:    aws.String("AES256")

I'll eventually open up a pull request and reference back to this issue. I just want this here to provide some context.

[codahale]

Everything stored in S3 is already encrypted, though. Why would you want to enable SSE?

[ameir]

I've bumped into this as well. We have an "artifacts"-type bucket with secrets as a path, and our company policy enforces sever-side encryption on the bucket. We've found workarounds using pack/unpack and copying encrypted tar files around, but being able to use upload and download would be great.

[vecchp]

@jason-riddle & @ameir We came across this at ZEFR as well since we preferred to let SSE-KMS manage encryption/decryption/rotation for storing secrets in S3. I hacked together a modified Sneaker to use SSE-KMS. We've only tested it out for upload/download.

https://github.com/ZEFR-INC/sneaker

@codahale I'm trying to decide how to move forward with this feature and whether or not to turn it into a pull request. A major concern is that I don't want to confuse users with two different options to store secrets.