kms: add MINIO_KMS_REPLICATE_KEYID option (#20909)

This commit adds the `MINIO_KMS_REPLICATE_KEYID` env. variable.
By default - if not specified or not set to `off` - MinIO will
replicate the KMS key ID of an object.

If `MINIO_KMS_REPLICATE_KEYID=off`, MinIO does not include the
object's KMS Key ID when replicating an object. However, it always
sets the SSE-KMS encryption header. This ensures that the object
gets encrypted using SSE-KMS. The target site chooses the KMS key
ID that gets used based on the site and bucket config.

Signed-off-by: Andreas Auernhammer <github@aead.dev>

cmd/bucket-replication.go

@@ -49,6 +49,7 @@ import (
 	"github.com/minio/minio/internal/hash"
 	xhttp "github.com/minio/minio/internal/http"
 	xioutil "github.com/minio/minio/internal/ioutil"
+	"github.com/minio/minio/internal/kms"
 	"github.com/minio/minio/internal/logger"
 	"github.com/minio/minio/internal/once"
 	"github.com/tinylib/msgp/msgp"
@@ -894,7 +895,17 @@ func putReplicationOpts(ctx context.Context, sc string, objInfo ObjectInfo) (put
 	}
 
 	if crypto.S3KMS.IsEncrypted(objInfo.UserDefined) {
-		sseEnc, err := encrypt.NewSSEKMS(objInfo.KMSKeyID(), nil)
+		// If KMS key ID replication is enabled (as by default)
+		// we include the object's KMS key ID. In any case, we
+		// always set the SSE-KMS header. If no KMS key ID is
+		// specified, MinIO is supposed to use whatever default
+		// config applies on the site or bucket.
+		var keyID string
+		if kms.ReplicateKeyID() {
+			keyID = objInfo.KMSKeyID()
+		}
+
+		sseEnc, err := encrypt.NewSSEKMS(keyID, nil)
 		if err != nil {
 			return putOpts, false, err
 		}

go.mod

@@ -2,6 +2,8 @@ module github.com/minio/minio
 
 go 1.23
 
+toolchain go1.23.6
+
 require (
 	cloud.google.com/go/storage v1.46.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0

internal/kms/config.go

@@ -28,6 +28,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@@ -64,10 +65,32 @@ const (
 	EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" // Path to a file to read the static KMS key from
 )
 
+// EnvKMSReplicateKeyID is an env. variable that controls whether MinIO
+// replicates the KMS key ID. By default, KMS key ID replication is enabled
+// but can be turned off.
+const EnvKMSReplicateKeyID = "MINIO_KMS_REPLICATE_KEYID"
+
 const (
 	tlsClientSessionCacheSize = 100
 )
 
+var replicateKeyID = sync.OnceValue(func() bool {
+	if v, ok := os.LookupEnv(EnvKMSReplicateKeyID); ok && strings.ToLower(v) == "off" {
+		return false
+	}
+	return true // by default, replicating KMS key IDs is enabled
+})
+
+// ReplicateKeyID reports whether KMS key IDs should be included when
+// replicating objects. It's enabled by default. To disable it, set:
+//
+//	MINIO_KMS_REPLICATE_KEYID=off
+//
+// Some deployments use different KMS clusters with destinct keys on
+// each site. Trying to replicate the KMS key ID can cause requests
+// to fail in such setups.
+func ReplicateKeyID() bool { return replicateKeyID() }
+
 // ConnectionOptions is a structure containing options for connecting
 // to a KMS.
 type ConnectionOptions struct {