search

ovh / public-cloud-roadmap

Agile roadmap for OVHcloud Public Cloud services. Discover the features our product teams are working on, comment and influence our backlog.
https://www.ovhcloud.com/en/public-cloud/
186 stars 5 forks source link

SSE-S3: Transparent serverside object encryption at rest #324

Closed lason-ovh closed 7 months ago

lason-ovh commented 2 years ago

In order to protect you sensitive data, objects should be encrypted at rest. Up until now, we provided SSE-C i.e data is encrypted by the server using an encryption key that the customer provides. However, to be trully secure, this also requires the customer to store the keys securely and rotates them regularly. This leads to extra work that has to be managed by the customer.

By leveraging our expertise in security, the customer can shift the burden of managing encryption keys to OVH by using what this feature is all about: SSE-S3.

During your API calls, when you upload an object or perform a multi part upload, just set the value of the "x-amz-server-side-encryption" header to "AES256".

OVH will take care of :

For a user perspective everything is done in the background and in a transparent way.

scraly commented 1 year ago

Having this feature will be useful :-).

FYI When a user configure a Terraform backend to store a TF state into a OVHcloud High Storage S3 and add encrypt=true". For the user the terraform state is encrypted. But it seems that it's not the case.

Is it possible, in a first step, to display to the user a warning message?

And do you know the ETA for this feature?

Example of a backend.tf file to test:

terraform {
    backend "s3" {
      bucket = "terraform-state-hp"
      key    = "terraform.tfstate"
      region = "gra"
 #or sbg or any activated high performance storage region
      endpoint = "s3.gra.perf.cloud.ovh.net"
      skip_credentials_validation = true
      skip_region_validation = true
      encrypt = true
    }
}

Thanks

claudusd commented 1 year ago

@scraly When we execute terraform apply there is a message about the missing feature.

Error saving state: failed to upload state: NotImplemented: Server-side encryption is not supported.
    status code: 501, request id: txa29c0fa8121f41f8af53a-00649c5109, host id: txa29c0fa8121f41f8af53a-00649c5109

I didn't test with performance endpoint, just the regular one `s3.gra.cloud.ovh.net.

This feature will be great to have a Terraform's state encrypted an save in a French block storage service and avoid to manage yourself an encryption key with the backend option sse_customer_key.

Izaia64 commented 1 year ago

The "regular endpoint" you mention (s3.gra.cloud.ovh.net) is an endpoint from our legacy offer (swift/openstack). To get new features such as Encryption at rest, S3 lock etc you have to use Object Storage Standard -S3 API
new offer, the endpoint is : https://s3..io.cloud.ovh.net Documentation : https://help.ovhcloud.com/csm/en-ie-public-cloud-storage-s3-location?id=kb_article_view&sysparm_article=KB0047393

lason-ovh commented 1 year ago

@scraly the optimistic ETA for a v1 would be end of october, the pessimistic ETA would be end of current civil year

mgiuliani-mwb commented 1 year ago

Hi @lason-ovh, any ETA update here? Thanks

lason-ovh commented 1 year ago

Hi @lason-ovh, any ETA update here? Thanks

Hi, first of all, thank you for enquiring, as we value your feedbacks and engagement. Unfortunately, we had to put this feature in stand by. However, we have confidence of releasing SSE-S3 in Q1 2024. Please stay tuned for any announcements.

biapar commented 11 months ago

Why?

MaxOla commented 9 months ago

Hi @lason-ovh 👋 Are you still confident about releasing in Q1-2024? We have deals waiting on that, so 🤞

biapar commented 9 months ago

Me too.

lason-ovh commented 9 months ago

Hi @lason-ovh 👋 Are you still confident about releasing in Q1-2024? We have deals waiting on that, so 🤞

Hi, we are still confident about the ETA so stay tuned ;)

lcgiry commented 7 months ago

Hi, we are waiting for this feature as well. Q1 is over, any update on the deadline ? Thanks

loliee commented 7 months ago

Same here 👀

I'm not waiting for the holidays or any good news apart from the resolution of this ticket!

biapar commented 7 months ago

Any news?

agoude commented 7 months ago

Hi @lcgiry, @loliee, @biapar, yes we're in the final stretch now, just a few days away from releasing it. Thank you for your patience all!

lason-ovh commented 7 months ago

Hi all, great news! :partying_face: :partying_face: SSE-S3 is now in General Availability. Check the user guide to learn how to activate the feature.

Preisschild commented 7 months ago

Does anyone else get api error NotImplemented: Multiple configuration rules are not supported when trying to enable bucket SSE-S3 over terraform?

It seems that the aws s3 terraform provider is using the API differently than the aws s3api put-bucket-encryption command in the documentation.

agoude commented 7 months ago

Does anyone else get api error NotImplemented: Multiple configuration rules are not supported when trying to enable bucket SSE-S3 over terraform?

It seems that the aws s3 terraform provider is using the API differently than the aws s3api put-bucket-encryption command in the documentation.

Hi @Preisschild, this has been identified and we are going to fix it quickly!

babidi34 commented 6 months ago

Hi @agoude do you have any updates on the resolution of the problem ?

agoude commented 6 months ago

Hi @agoude do you have any updates on the resolution of the problem ?

We are still working on it and we will deploy it as soon as possible. I'll come back to you with a proper ETA, thank you again!

lason-ovh commented 6 months ago

Hi @agoude do you have any updates on the resolution of the problem ?

Hi, the fix should be deployed in W24