Encryption with S3 Driver

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack

https://doc.owncloud.com/ocis/next/

Apache License 2.0

1.42k stars 183 forks source link

Encryption with S3 Driver #6273

Open JustKiddingCode opened 1 year ago

JustKiddingCode commented 1 year ago

Is your feature request related to a problem? Please describe.

I'd like to outsource the user data using an S3 Endpoint. I don't want to trust the storage provider.

Describe the solution you'd like

The S3 driver allows to specify an encryption key with which the data is encrypted before sending it to the data provider.

Describe alternatives you've considered

File-based encryption keys, Encryption at higher level.

Additional context

I don't think it is sensible to add encryption into the ocis driver, because the encryption key has to be on the same machine.

hodyroff commented 1 year ago

Our current plan is use the S3 storage encryption itself and not provide an additional encryption from the application. Most S3 storages allow encryption with external keys, etc. Does this help? If so, we would close here.

JustKiddingCode commented 1 year ago

If my understanding of the S3 encryption is correct: In this case I'd still have to trust the storage provider to not save the key and decrypt my files. We have some files where data protection wants to limit every access possiblity.

JustKiddingCode commented 1 year ago

I took a look to the software stack: Minio has an example for client side encryption, https://github.com/minio/minio-go/blob/master/examples/s3/putobject-client-encryption.go

So the main changes would be to implement a wrapper for blobstore that encrypts & decrypts the data, right?

micbar commented 5 months ago

I need more iformation @JustKiddingCode on what you want to achieve?

Like already written, simple encryption via S3 is possible.

More advanced concepts like SSE-C https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-c.html would mean that we need to shoulder the burden of key management and recovery features if user provided keys would be lost.

JustKiddingCode commented 5 months ago

My scenario:

Owncloud OCIS VM under our control.
S3 storage is operated by different persons.
We want to store files with very high confidentiality requirements.
The files must be stored encrypted and even a rogue storage provider must not be able to decrypt the files.
We are fine by owncloud ocis generating a key at storage initialisation and storing it.

wkloucek commented 4 months ago

and even a rogue storage provider must not be able to decrypt the files.

This is a very strict requirement and basically rules out SSE-C.

From https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html about SSE-C: With the encryption key that you provide as part of your request, Amazon S3 manages data encryption as it writes to disks and data decryption when you access your objects.

It basically leaves only client side encryption: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html Amazon S3 does not play a role in encrypting or decrypting your objects.