kms: add MINIO_KMS_REPLICATE_KEYID option (#20909)

This commit adds the `MINIO_KMS_REPLICATE_KEYID` env. variable. By default - if not specified or not set to `off` - MinIO will replicate the KMS key ID of an object. If `MINIO_KMS_REPLICATE_KEYID=off`, MinIO does not include the object's KMS Key ID when replicating an object. However, it always sets the SSE-KMS encryption header. This ensures that the object gets encrypted using SSE-KMS. The target site chooses the KMS key ID that gets used based on the site and bucket config. Signed-off-by: Andreas Auernhammer <github@aead.dev>
2025-11-07 12:52:58 -05:00 · 2025-02-08 00:21:09 +01:00
parent b8dde47d4e
commit 703f51164d
3 changed files with 37 additions and 1 deletions
--- a/cmd/bucket-replication.go
+++ b/cmd/bucket-replication.go
@@ -49,6 +49,7 @@ import (
 	"github.com/minio/minio/internal/hash"
 	xhttp "github.com/minio/minio/internal/http"
 	xioutil "github.com/minio/minio/internal/ioutil"
+	"github.com/minio/minio/internal/kms"
 	"github.com/minio/minio/internal/logger"
 	"github.com/minio/minio/internal/once"
 	"github.com/tinylib/msgp/msgp"
@@ -894,7 +895,17 @@ func putReplicationOpts(ctx context.Context, sc string, objInfo ObjectInfo) (put
 	}

 	if crypto.S3KMS.IsEncrypted(objInfo.UserDefined) {
-		sseEnc, err := encrypt.NewSSEKMS(objInfo.KMSKeyID(), nil)
+		// If KMS key ID replication is enabled (as by default)
+		// we include the object's KMS key ID. In any case, we
+		// always set the SSE-KMS header. If no KMS key ID is
+		// specified, MinIO is supposed to use whatever default
+		// config applies on the site or bucket.
+		var keyID string
+		if kms.ReplicateKeyID() {
+			keyID = objInfo.KMSKeyID()
+		}
+
+		sseEnc, err := encrypt.NewSSEKMS(keyID, nil)
 		if err != nil {
 			return putOpts, false, err
 		}