That's not currently possible, no. And I don't think it's a good idea to
add such a feature; if the client requests that something be encrypted,
the server should either encrypt it or reject the request.
There is a config called rgw_crypt_s3_kms_encryption_keys that we use
for testing, though, which allows you to specify a mapping of kms keyids
to actual keys. If your client is using a limited number of kms keyids,
you can provide keys for them and get limited sse-kms support without
setting up an actual kms.
For example, this is our test configuration for use with s3tests:
rgw crypt s3 kms encryption keys =
testkey-1=YmluCmJvb3N0CmJvb3N0LWJ1aWxkCmNlcGguY29uZgo=
testkey-2=aWIKTWFrZWZpbGUKbWFuCm91dApzcmMKVGVzdGluZwo=
Where s3tests is sending requests with header
x-amz-server-side-encryption-aws-kms-key-id: testkey1 or testkey2.
I hope that helps!
Casey
On 10/16/18 8:43 AM, Arvydas Opulskis wrote:
Hi,
got no success on IRC, maybe someone will help me here.
After RGW upgrade from Jewel to Luminous, one S3 user started to
receive errors from his postgre wal-e solution. Error is like this:
"Server Side Encryption with KMS managed key requires HTTP header
x-amz-server-side-encryption : aws:kms".
After some reading, seems, like this client is forcing Server side
encryption (SSE) on RGW and it is not configured. Because user can't
disable encryption in his solution for now (it will be possible in
future release), can I somehow disable Encryption support on Luminous
RGW?
Thank you for your insights.
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
