When potentially sensitive data is pushed out to object storage (S3), Cryostat should rewrite that data stream using a strong cryptographic encryption algorithm and a user-provided encryption key. Symmetrically, when reading data streams out from storage, the same algorithm should be used to decrypt the stream, using a user-provided encryption key. Cryostat should of course use the same configuration property for both of these keys. It is up to the user to ensure that they use a stable key over time, or else old data will no longer be decryptable using the new key. This way, even if the user is using an object storage which does not offer at-rest data encryption, their data can be encrypted.
Important implementation detail note: enabling this feature will break the ability for file uploads/downloads to be done directly between the client and the object storage via presigned URLs, since that would be a data transfer directly from the client to storage - this would bypass Cryostat as an intermediary, so the encryption stage would be skipped.
Describe the feature
See also https://github.com/cryostatio/cryostat-storage/pull/29 See also https://github.com/cryostatio/cryostat-operator/issues/959
When potentially sensitive data is pushed out to object storage (S3), Cryostat should rewrite that data stream using a strong cryptographic encryption algorithm and a user-provided encryption key. Symmetrically, when reading data streams out from storage, the same algorithm should be used to decrypt the stream, using a user-provided encryption key. Cryostat should of course use the same configuration property for both of these keys. It is up to the user to ensure that they use a stable key over time, or else old data will no longer be decryptable using the new key. This way, even if the user is using an object storage which does not offer at-rest data encryption, their data can be encrypted.
Important implementation detail note: enabling this feature will break the ability for file uploads/downloads to be done directly between the client and the object storage via presigned URLs, since that would be a data transfer directly from the client to storage - this would bypass Cryostat as an intermediary, so the encryption stage would be skipped.
Anything other information?
No response