search

linagora / james-project

Mirror of Apache James Project
Apache License 2.0
72 stars 62 forks source link

[S3 SSEC] S3 multitenancy: SSEC basic implementation #5278

Closed Arsnael closed 1 day ago

Arsnael commented 2 months ago

Allow to use https://help.ovhcloud.com/csm/en-public-cloud-storage-s3-encrypt-objects-sse-c?id=kb_article_view&sysparm_article=KB0047314 (client provided keys)

(Meaning we can either do AES james side OR do SSE-C OR do nothing)

Configuration blob.properties:

encryption.s3.sse.c.enable=true
encryption.s3.sse.c.master.key.algorithm=AES256
encryption.s3.sse.c.master.key.salt=XXXXXXXXXX
encryption.s3.sse.c.master.key.password=XXXXXXXXXX

Within blob-s3 maven project, reuse dependecy blob-aes and use PBKDF2StreamingAeadFactory to derive the new key.

Integration with the S3 driver is straight forward:

Screenshot from 2024-08-30 11-19-42 

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "RestrictSSECObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption-customer-algorithm": "false"
                }
            }
        }
    ]
}

DoD:

Arsnael commented 2 months ago

Question: I think the salt here is simply the domain right? (for having something multitenancy like) Likely we don't need encryption.s3.sse.c.master.key.salt param then?

quantranhong1999 commented 2 months ago

Question: I think the salt here is simply the domain right? (for having something multitenancy like) Likely we don't need encryption.s3.sse.c.master.key.salt param then?

From what I understand, the salt configuration is related to key derivation, and likely can be added in the other derivation tickets. Let's start simple without salt (use the same encryption key) first?

chibenwa commented 2 months ago

Basic implem generate key at startup and uses the same one everywhere.

As today AESBlobStoreDAO

Let's do better in a later ticket...

hungphan227 commented 1 month ago

Still not understand what "encryption.s3.sse.c.master.key.password" is for

chibenwa commented 1 month ago

Derivation halgorithme takes a secret and a hash. That secret is currently called password.

vttranlina commented 1 month ago

My code lab for who quickly interesting https://github.com/vttranlina/james-project/tree/sseC_keyDerivation

chibenwa commented 1 month ago

Nice thanks!