critical error when enabling encryption on s3 storage backend

[oupala]

I have a critical error when uploading a simple image file :

[09/14/2022 10:21:40][CRITICAL][[10.129.2.1][uMAlAUTgO2ZPUnhr][IMG_20220907_085611.jpg]] unable to save file : A header you provided implies functionality that is not implemented. -- -- 500

The only thing that I have added to the configuration of plik is the S3 encryption settings:

SSE-C: server-side-encryption with customer provided keys ( managed by Plik )

[DataBackendConfig]
    SSE = "SSE-C"

I don't think I have a specific header provided...

What are the "customer provided key" that the documentation is talking about?

[camathieu]

Hello,

What kind of S3 backend are you trying to use ?

Best, CAM.

On Wed, Sep 14, 2022 at 12:37 PM oupala @.***> wrote:

I have a critical error when uploading a simple image file :

[09/14/2022 10:21:40][CRITICAL][[10.129.2.1][uMAlAUTgO2ZPUnhr][IMG_20220907_085611.jpg]] unable to save file : A header you provided implies functionality that is not implemented. -- -- 500

The only thing that I have added to the configuration of plik is the encryption settings:

SSE-C: server-side-encryption with customer provided keys ( managed by Plik )

[DataBackendConfig] SSE = "SSE-C"

I don't think I have a specific header provided...

What are the "customer provided key" that the documentation is talking about?

— Reply to this email directly, view it on GitHub https://github.com/root-gg/plik/issues/455, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQ5XPU5SO2JKUCWMZ3EZW3V6GTFLANCNFSM6AAAAAAQMI3WLE . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[oupala]

I'm using an internal hosted S3 storage solution based on scality.

Please note that storing data into an S3 storage based on scality does work like a charm when no encryption is set.

[oupala]

I don't understand why the encryption would fail. As the encryption is "managed by plik", it should work natively on the same S3 hosting solution whenever the encryption is enabled or not! Am I right?

[camathieu]

Hi, what error are you facing ?

On Tue, Jan 10, 2023, 09:26 oupala @.***> wrote:

I don't understand why the encryption would fail. As the encryption is "managed by plik", it should work natively on the same S3 hosting solution whenever the encryption is enabled or not! Am I right?

— Reply to this email directly, view it on GitHub https://github.com/root-gg/plik/issues/455#issuecomment-1376893959, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQ5XPTO7T3YBRZPYQSNWQDWRUMLNANCNFSM6AAAAAAQMI3WLE . You are receiving this because you commented.Message ID: @.***>

[oupala]

The error is mentioned in the first post of the thread.

[camathieu]

Sorry I replied from my phone which didn't have the thread history.

[camathieu]

I think this has to do with your backend not implementing the feature. With SSE-C the encryption is managed by the S3 backend with only the encryption keys being managed by Plik. The documentation string could be improved in this regard.

More details here : https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html

[oupala]

You're right, the backend does not support standard encryption. scality only offera custom encryption feature.

I think that the documentation string could be improved as I was understanding the encryption was managed by Plik (and there was therefore no impact or requirement on the S3 service). In fact, the encryption is always managed by the S3 service, the difference between SSE-C en standard S3 is only the question of who is managing the encryption keys.

My point of view is that the architecture of plik is:

web interface <-> plik api server <-> s3 storage server

In the plikd.cfg documentation, the term "server-side-encryption" could understood as "plik api server side encryption" or as "s3 storage server side encryption". This ambiguity should be removed.