search

linagora / james-project

Mirror of Apache James Project
Apache License 2.0
71 stars 62 forks source link

[S3 SSEC] S3 multitenancy: SSEC basic implementation #5278

Open Arsnael opened 5 days ago

Arsnael commented 5 days ago

Allow to use https://help.ovhcloud.com/csm/en-public-cloud-storage-s3-encrypt-objects-sse-c?id=kb_article_view&sysparm_article=KB0047314 (client provided keys)

(Meaning we can either do AES james side OR do SSE-C OR do nothing)

Configuration blob.properties:

encryption.s3.sse.c.enable=true
encryption.s3.sse.c.master.key.algorithm=AES256
encryption.s3.sse.c.master.key.salt=XXXXXXXXXX
encryption.s3.sse.c.master.key.password=XXXXXXXXXX

Within blob-s3 maven project, reuse dependecy blob-aes and use PBKDF2StreamingAeadFactory to derive the new key.

Integration with the S3 driver is straight forward:

Screenshot from 2024-08-30 11-19-42 

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "RestrictSSECObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption-customer-algorithm": "false"
                }
            }
        }
    ]
}

DoD:

Arsnael commented 5 days ago

Question: I think the salt here is simply the domain right? (for having something multitenancy like) Likely we don't need encryption.s3.sse.c.master.key.salt param then?

quantranhong1999 commented 4 days ago

Question: I think the salt here is simply the domain right? (for having something multitenancy like) Likely we don't need encryption.s3.sse.c.master.key.salt param then?

From what I understand, the salt configuration is related to key derivation, and likely can be added in the other derivation tickets. Let's start simple without salt (use the same encryption key) first?

chibenwa commented 5 hours ago

Basic implem generate key at startup and uses the same one everywhere.

As today AESBlobStoreDAO

Let's do better in a later ticket...