MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: disallow SSE-C encrypted objects on replicated buckets (#16467)

Browse Source
This commit is contained in:
Harshavardhana
2023-01-25 05:16:33 +05:30
committed by GitHub
parent d67a846ec4
commit e64b9f6751
9 changed files with 238 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/bucket/replication/README.md
View File

@@ -264,6 +264,16 @@ When Bucket Versioning with excluded prefixes are configured objects matching th
In the above sample config, objects under prefixes matching any of the `ExcludedPrefixes` glob patterns will neither be versioned nor replicated.
### SSE-C Encryption
MinIO does not support SSE-C encrypted objects on replicated buckets, any application uploading SSE-C encrypted objects will be rejected with an error on replicated buckets.
#### Rationale
- SSE-C requires application to remember the keys for all GET/PUT operations, any unfortunate loss of keys would automatically mean the objects cannot be accessed anymore.
- SSE-C is hardly adopted by most widely used applications, applications prefer server to manage the keys via SSE-KMS or SSE-S3.
- MinIO recommends applications to use SSE-KMS, SSE-S3 for simpler, safer and robust encryption mechanism for replicated buckets.
## Explore Further
- [MinIO Bucket Replication Design](https://github.com/minio/minio/blob/master/docs/bucket/replication/DESIGN.md)