add SSE-KMS support and use SSE-KMS for auto encryption (#12237)

This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-07 12:52:58 -05:00 · 2021-05-07 00:24:01 +02:00
parent 989e394a32
commit af0c65be93
7 changed files with 229 additions and 94 deletions
--- a/cmd/tier.go
+++ b/cmd/tier.go
@@ -29,7 +29,9 @@ import (
 	"sync"

 	"github.com/minio/madmin-go"
+	"github.com/minio/minio/cmd/crypto"
 	"github.com/minio/minio/pkg/hash"
+	"github.com/minio/minio/pkg/kms"
 )

 //go:generate msgp -file $GOFILE
@@ -236,9 +238,7 @@ func (config *TierConfigMgr) configReader() (*PutObjReader, *ObjectOptions, erro

 	// Encrypt json encoded tier configurations
 	metadata := make(map[string]string)
-	sseS3 := true
-	var extKey [32]byte
-	encBr, oek, err := newEncryptReader(hr, extKey[:], minioMetaBucket, tierConfigPath, metadata, sseS3)
+	encBr, oek, err := newEncryptReader(hr, crypto.S3, "", nil, minioMetaBucket, tierConfigPath, metadata, kms.Context{})
 	if err != nil {
 		return nil, nil, err
 	}