Provide equivalent to S3 SSE-C for JetStream Object Store

[udf2457]

What motivated this proposal?

At present, JS only supports encryption at rest on a global level, e.g.

jetstream : {
  cipher: chachapoly
  key : "6dYfBV0zzEkR3vxZCNjxmnVh/aIqgid1"
}

It would be useful if NATS provided an equivalent to S3 SSE-C whereby you can have object-level encryption based on a provided key (https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html)

What is the proposed change?

Add object-level encryption support for JS Object Store

Who benefits from this change?

No response

What alternatives have you evaluated?

DIY encryption prior to NATS calls. Which is clearly fine, but messy to implement and maintain.

Also when attempting to submit a PR to third-party projects, I have been rejected by maintainers because they consider a thin-wrapper prior to NATS being "DIY crypto" even if it is nothing but a wrapper around stdlib. So if NATS had built-in first-class support for SSE-C then this would clearly silence third-party maintainer objections.

[hwinkel]

BTW: has NATS Objectstore a S3 compatible API?

[derekcollison]

We are considering but have not made any firm decisions.

[hwinkel]

We are considering but have not made any firm decisions.

Good to hear, especially if 3rd party apps, not adapted to NATS APIs, need to access Object Data the S3 API might be a way to go.