Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32842

Allow to use S3 StrictAuthenticatedEncryption with a local keystore

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2025.x, 2023.18
    • Component/s: S3
    • Release Notes Summary:
       A nuxeo.s3storage.crypt.keystore.legacymode configuration property default to true for lts-2023, and false for lts-2025 is available to decrypt objects encrypted client-side with a local keystore in v1 AWS encryption API.
    • Tags:
    • Upgrade notes:
      Hide

      You must set the nuxeo.s3storage.crypt.keystore.legacymode configuration property to true when upgrading from lts-2023 to lts-2025 if you have objects encrypted client-side with a local keystore in v1 AWS encryption API.

      If you want to start a fresh production environment in lts-2023 with a higher level of security, you should set the nuxeo.s3storage.crypt.keystore.legacymode configuration property to false.

      Show
      You must set the nuxeo.s3storage.crypt.keystore.legacymode configuration property to true when upgrading from lts-2023 to lts-2025 if you have objects encrypted client-side with a local keystore in v1 AWS encryption API. If you want to start a fresh production environment in lts-2023 with a higher level of security, you should set the nuxeo.s3storage.crypt.keystore.legacymode configuration property to false .
    • Team:
      PLATFORM
    • Sprint:
      nxplatform #120
    • Story Points:
      2

      Description

      With NXP-32760, we upgraded the AWS SDK encryption APIs from v1 to v2 and we had to set CryptoMode.AuthenticatedEncryption when using client-side encryption with a local keystore to decrypt objects encrypted in v1.

      This produces WARNS like:

      [AmazonS3EncryptionClientV2] The S3 Encryption Client is configured to read encrypted data with legacy encryption modes through the CryptoMode setting. If you don't have objects encrypted with these legacy modes, you should disable support for them to enhance security. See https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html

      However, if one wants to start a fresh production environment with a higher level of security, we should allow the use of the default CryptoMode.StrictAuthenticatedEncryption

      A nuxeo.s3storage.crypt.keystore.legacymode configuration property default to true for lts-2023, and false for lts-2025 can be offered.

      Need for 2025 upgrade notes

        Attachments

          Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. NXP-32760 Add Amazon S3 client-side encryption with AWS KMS managed keys

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: