Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32760

Add Amazon S3 client-side encryption with AWS KMS managed keys

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2025.x, 2023.17
    • Component/s: S3
    • Release Notes Summary:
      AWS S3 Client-side encryption with KMS is now possible
    • Release Notes Description:
      Hide

      AWS KMS client-side encryption can be enabled by defining a KMS key ID with the following property:

      nuxeo.s3storage.crypt.kms.clientside.key=your-kms-key-id

      Optionally, specify the region of the KMS key if it is differs from the environment or bucket one:

      nuxeo.s3storage.crypt.kms.clientside.region=your-kms-key-region
      Show
      AWS KMS client-side encryption can be enabled by defining a KMS key ID with the following property: nuxeo.s3storage.crypt.kms.clientside.key=your-kms-key-id Optionally, specify the region of the KMS key if it is differs from the environment or bucket one: nuxeo.s3storage.crypt.kms.clientside.region=your-kms-key-region
    • Tags:
    • Team:
      PLATFORM
    • Sprint:
      nxplatform #119
    • Story Points:
      5

      Description

      Today, we only support S3 client-side encryption using a local key store (See https://doc.nuxeo.com/nxdoc/amazon-s3-online-storage/#client-side-crypto-options)

      We'd like to support the client-side encryption as described in https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto-kms.html

      Note that there is already a nuxeo.s3storage.crypt.kms.key nuxeo.conf property to define the KMS key ID to be used by AWS to encrypt data server-side. We'll introduce a new nuxeo.conf property nuxeo.s3storage.crypt.kms.clientside.key that should be defined to enable this client-side encryption type.

      Considerations

      • We assume nuxeo.s3storage.crypt.kms.key and nuxeo.s3storage.crypt.kms.clientside.key are different keys.
      • The KMS key id (for client-side encryption) region could differ from the deployment environment or bucket one.
      • The nuxeo.s3storage.crypt.keystore.file property enables client-side encryption using a private keystore. It takes precedences on nuxeo.s3storage.crypt.kms.clientside.key.

        Attachments

          Issue Links

          depends on

          Task - A task that needs to be done. NXBT-3814 Add KMS Key Id secrets in our CI

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. NXP-32842 Allow to use S3 StrictAuthenticatedEncryption with a local keystore

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is required by

          Task - A task that needs to be done. NXDOC-2704 Document AWS S3 KMS Client-Side Encryption Configuration

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: