OCS / ODF Change "Encryption key type" on AWS S3 bucket used as noobaa backingstore

Solution Verified - Updated -

Issue

  1. Background about the issue

    1.1. "Data at rest" is used as a complement to the terms "data in use" and "data in transit" which together define the three states of digital data

    1.2. Server-side encryption means that the S3 client sends data over HTTP in its unencrypted form, and data is in the S3 bucket stored in encrypted form.

    1.3. Since 5 Jan 2023, data stored in AWS S3 buckets is encrypted by default (server-side encryption, encryption for data at rest) , see : Setting default server-side encryption behavior for Amazon S3 buckets

    "Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance."

    That requires cryptographic key that is used to protect/encrypt your data, configured at the bucket layer. These keys are of two types (created and managed by ) :

    a) Amazon S3 managed keys (SSE-S3)

    or

    b) AWS Key Management Service (AWS KMS) keys (SSE-KMS) (or instead of AWS KMS it can be used also a customer-provided keys (SSE-C)) --> allows you more control over your keys, such as managing key rotation and access policy grants and allows you to enable or disable another setting: "bucket key"

    1.4. When you install ODF in AWS platform, a AWS S3 bucket is created in AWS as noobaa backing store
    AWS that S3 bucket is configured with "Default Encryption" using an Amazon S3 Managed key (SSE-S3)
    At this point any data stored on that AWS S3 bucket will be encrypted using that key SSE-S3

    1.5. AWS allows to change the "Encryption key type" to "AWS Key Management Service key (SSE-KMS)" , so any new data stored on that AWS S3 bucket will be encrypted using that new key SSE-KMS or SSE-C

    1.6. In the same way, ODF when installed in Azure (OCP ipi install) creates an "Blob storage" (equivalent to AWS S3 bucket) by default as noobaa backingstore, see Azure Storage encryption for data at rest

  2. ISSUE:
    Q. Do we support that change (from (SSE-S3) to (SSE-KMS) ) on that ASW S3 bucket used as noobaa backingstore?
    Q. Do we support changing encryption keys on this Azure Block storage to customer-managed keys ?

Environment

  • OCS 4.x
  • ODF 4.9 or higher

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content