kms: add MINIO_KMS_REPLICATE_KEYID option (#20909)

This commit adds the `MINIO_KMS_REPLICATE_KEYID` env. variable. By default - if not specified or not set to `off` - MinIO will replicate the KMS key ID of an object. If `MINIO_KMS_REPLICATE_KEYID=off`, MinIO does not include the object's KMS Key ID when replicating an object. However, it always sets the SSE-KMS encryption header. This ensures that the object gets encrypted using SSE-KMS. The target site chooses the KMS key ID that gets used based on the site and bucket config. Signed-off-by: Andreas Auernhammer <github@aead.dev>
2025-02-11 05:38:07 -05:00 · 2025-02-08 00:21:09 +01:00 · 2025-02-08 00:21:09 +01:00 · 703f51164d
commit 703f51164d
parent b8dde47d4e
3 changed files with 37 additions and 1 deletions
--- a/cmd/bucket-replication.go
+++ b/cmd/bucket-replication.go
@ -49,6 +49,7 @@ import (
 	"github.com/minio/minio/internal/hash"
 	xhttp "github.com/minio/minio/internal/http"
 	xioutil "github.com/minio/minio/internal/ioutil"
+	"github.com/minio/minio/internal/kms"
 	"github.com/minio/minio/internal/logger"
 	"github.com/minio/minio/internal/once"
 	"github.com/tinylib/msgp/msgp"
@ -894,7 +895,17 @@ func putReplicationOpts(ctx context.Context, sc string, objInfo ObjectInfo) (put
 	}

 	if crypto.S3KMS.IsEncrypted(objInfo.UserDefined) {
-		sseEnc, err := encrypt.NewSSEKMS(objInfo.KMSKeyID(), nil)
+		// If KMS key ID replication is enabled (as by default)
+		// we include the object's KMS key ID. In any case, we
+		// always set the SSE-KMS header. If no KMS key ID is
+		// specified, MinIO is supposed to use whatever default
+		// config applies on the site or bucket.
+		var keyID string
+		if kms.ReplicateKeyID() {
+			keyID = objInfo.KMSKeyID()
+		}
+
+		sseEnc, err := encrypt.NewSSEKMS(keyID, nil)
 		if err != nil {
 			return putOpts, false, err
 		}
--- a/go.mod
+++ b/go.mod
@ -2,6 +2,8 @@ module github.com/minio/minio

 go 1.23

+toolchain go1.23.6
+
 require (
 	cloud.google.com/go/storage v1.46.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
--- a/internal/kms/config.go
+++ b/internal/kms/config.go
@ -28,6 +28,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@ -64,10 +65,32 @@ const (
 	EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" // Path to a file to read the static KMS key from
 )

+// EnvKMSReplicateKeyID is an env. variable that controls whether MinIO
+// replicates the KMS key ID. By default, KMS key ID replication is enabled
+// but can be turned off.
+const EnvKMSReplicateKeyID = "MINIO_KMS_REPLICATE_KEYID"
+
 const (
 	tlsClientSessionCacheSize = 100
 )

+var replicateKeyID = sync.OnceValue(func() bool {
+	if v, ok := os.LookupEnv(EnvKMSReplicateKeyID); ok && strings.ToLower(v) == "off" {
+		return false
+	}
+	return true // by default, replicating KMS key IDs is enabled
+})
+
+// ReplicateKeyID reports whether KMS key IDs should be included when
+// replicating objects. It's enabled by default. To disable it, set:
+//
+//	MINIO_KMS_REPLICATE_KEYID=off
+//
+// Some deployments use different KMS clusters with destinct keys on
+// each site. Trying to replicate the KMS key ID can cause requests
+// to fail in such setups.
+func ReplicateKeyID() bool { return replicateKeyID() }
+
 // ConnectionOptions is a structure containing options for connecting
 // to a KMS.
 type ConnectionOptions struct {