Allow Compression + encryption (#11103)

docs/bucket/versioning/DESIGN.md

@@ -26,7 +26,7 @@ Once the header is validated, we proceed to the actual data structure of the `xl
 - LegacyObjectType (preserves existing deployments and older xl.json format)
 - DeleteMarker (a versionId to capture the DELETE sequences implemented primarily for AWS spec compatibility)
 
-A sample msgpack-JSON `xl.meta`, you can debug the content inside `xl.meta` using [xl-meta-to-json.go](https://github.com/minio/minio/blob/master/docs/bucket/versioning/xl-meta-to-json.go) program.
+A sample msgpack-JSON `xl.meta`, you can debug the content inside `xl.meta` using [xl-meta.go](https://github.com/minio/minio/blob/master/docs/bucket/versioning/xl-meta.go) program.
 ```json
 {
   "Versions": [

docs/bucket/versioning/xl-meta.go

@@ -56,11 +56,12 @@ GLOBAL FLAGS:
 	}
 
 	app.Action = func(c *cli.Context) error {
-		if !c.Args().Present() {
-			cli.ShowAppHelp(c)
-			return nil
+		files := c.Args()
+		if len(files) == 0 {
+			// If no args, assume xl.meta
+			files = []string{"xl.meta"}
 		}
-		for _, file := range c.Args() {
+		for _, file := range files {
 			var r io.Reader
 			switch file {
 			case "-":

docs/compression/README.md

@@ -1,10 +1,19 @@
 # Compression Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
 
-MinIO server allows streaming compression to ensure efficient disk space usage. Compression happens inflight, i.e objects are compressed before being written to disk(s). MinIO uses [`klauspost/compress/s2`](https://github.com/klauspost/compress/tree/master/s2) streaming compression due to its stability and performance.
+MinIO server allows streaming compression to ensure efficient disk space usage. 
+Compression happens inflight, i.e objects are compressed before being written to disk(s). 
+MinIO uses [`klauspost/compress/s2`](https://github.com/klauspost/compress/tree/master/s2) 
+streaming compression due to its stability and performance.
 
-This algorithm is specifically optimized for machine generated content. Write throughput is typically at least 300MB/s per CPU core. Decompression speed is typically at least 1GB/s.
-This means that in cases where raw IO is below these numbers compression will not only reduce disk usage but also help increase system throughput.
-Typically enabling compression on spinning disk systems will increase speed when the content can be compressed.
+This algorithm is specifically optimized for machine generated content. 
+Write throughput is typically at least 500MB/s per CPU core,
+and scales with the number of available CPU cores. 
+Decompression speed is typically at least 1GB/s.
+
+This means that in cases where raw IO is below these numbers 
+compression will not only reduce disk usage but also help increase system throughput.
+Typically, enabling compression on spinning disk systems 
+will increase speed when the content can be compressed.
 
 ## Get Started
 
@@ -14,40 +23,71 @@ Install MinIO - [MinIO Quickstart Guide](https://docs.min.io/docs/minio-quicksta
 
 ### 2. Run MinIO with compression
 
-Compression can be enabled by updating the `compress` config settings for MinIO server config. Config `compress` settings take extensions and mime-types to be compressed.
+Compression can be enabled by updating the `compress` config settings for MinIO server config. 
+Config `compress` settings take extensions and mime-types to be compressed.
 
-```
-$ mc admin config get myminio compression
+```bash
+~ mc admin config get myminio compression
 compression extensions=".txt,.log,.csv,.json,.tar,.xml,.bin" mime_types="text/*,application/json,application/xml"
 ```
 
 Default config includes most common highly compressible content extensions and mime-types.
 
-```
-$ mc admin config set myminio compression extensions=".pdf" mime_types="application/pdf"
+```bash
+~ mc admin config set myminio compression extensions=".pdf" mime_types="application/pdf"
 ```
 
 To show help on setting compression config values.
-```
+```bash
 ~ mc admin config set myminio compression
 ```
 
-To enable compression for all content, with default extensions and mime-types.
-```
-~ mc admin config set myminio compression enable="on"
+To enable compression for all content, no matter the extension and content type 
+(except for the default excluded types) set BOTH extensions and mime types to empty.
+
+```bash
+~ mc admin config set myminio compression enable="on" extensions="" mime_types=""
 ```
 
-The compression settings may also be set through environment variables. When set, environment variables override the defined `compress` config settings in the server config.
+The compression settings may also be set through environment variables. 
+When set, environment variables override the defined `compress` config settings in the server config.
 
 ```bash
 export MINIO_COMPRESS="on"
-export MINIO_COMPRESS_EXTENSIONS=".pdf,.doc"
-export MINIO_COMPRESS_MIME_TYPES="application/pdf"
+export MINIO_COMPRESS_EXTENSIONS=".txt,.log,.csv,.json,.tar,.xml,.bin"
+export MINIO_COMPRESS_MIME_TYPES="text/*,application/json,application/xml"
 ```
 
-### 3. Note
+### 3. Compression + Encryption
 
-- Already compressed objects are not fit for compression since they do not have compressible patterns. Such objects do not produce efficient [`LZ compression`](https://en.wikipedia.org/wiki/LZ77_and_LZ78) which is a fitness factor for a lossless data compression. Below is a list of common files and content-types which are not suitable for compression.
+Combining encryption and compression is not safe in all setups.
+This is particularly so if the compression ratio of your content reveals information about it.
+See [CRIME TLS](https://en.wikipedia.org/wiki/CRIME) as an example of this.
+
+Therefore, compression is disabled when encrypting by default, and must be enabled separately.
+
+Consult our security experts on [SUBNET](https://min.io/pricing) to help you evaluate if 
+your setup can use this feature combination safely.
+
+To enable compression+encryption use:
+
+```bash
+~ mc admin config set myminio compression allow_encryption=on
+```
+
+Or alternatively through the environment variable `MINIO_COMPRESS_ALLOW_ENCRYPTION=on`.
+
+### 4. Excluded Types
+
+- Already compressed objects are not fit for compression since they do not have compressible patterns. 
+Such objects do not produce efficient [`LZ compression`](https://en.wikipedia.org/wiki/LZ77_and_LZ78)
+which is a fitness factor for a lossless data compression.
+
+Pre-compressed input typically compresses in excess of 2GiB/s per core, 
+so performance impact should be minimal even if precompressed data is re-compressed.
+Decompressing incompressible data has no significant performance impact.
+
+Below is a list of common files and content-types which are typically not suitable for compression.
 
     - Extensions
 
@@ -72,15 +112,17 @@ export MINIO_COMPRESS_MIME_TYPES="application/pdf"
       | `application/x-compress` |
       | `application/x-xz` |
 
-All files with these extensions and mime types are excluded from compression, even if compression is enabled for all types.
+All files with these extensions and mime types are excluded from compression, 
+even if compression is enabled for all types.
 
-- MinIO does not support encryption with compression because compression and encryption together potentially enables room for side channel attacks like [`CRIME and BREACH`](https://blog.minio.io/c-e-compression-encryption-cb6b7f04a369)
+### 5. Notes
 
 - MinIO does not support compression for Gateway (Azure/GCS/NAS) implementations.
 
 ## To test the setup
 
-To test this setup, practice put calls to the server using `mc` and use `mc ls` on the data directory to view the size of the object.
+To test this setup, practice put calls to the server using `mc` and use `mc ls` on 
+the data directory to view the size of the object.
 
 ## Explore Further