hi Jayanth, i don't know that we have a supported way to do this. the s3-compatible method would be to copy the object onto itself without requesting server-side encryption. however, this wouldn't prevent default encryption if rgw_crypt_default_encryption_key was still enabled. furthermore, rgw has not implemented support for copying encrypted objects, so this would fail for other forms of server-side encryption too. this has been tracked in https://tracker.ceph.com/issues/23264 On Sat, Jun 17, 2023 at 12:13 PM Jayanth Reddy <jayanthreddy5666@xxxxxxxxx> wrote: > > Hello Users, > We've a big cluster (Quincy) with almost 1.7 billion RGW objects, and we've > enabled SSE on as per > https://docs.ceph.com/en/quincy/radosgw/encryption/#automatic-encryption-for-testing-only > (yes, we've chosen this insecure method to store the key) > We're now in the process of implementing RGW multisite, but stuck due to > https://tracker.ceph.com/issues/46062 and list at > https://lists.ceph.io/hyperkitty/list/ceph-users@xxxxxxx/thread/PQW66JJ5DCRTH5XFGTRESF3XXTOSIWFF/#43RHLUVFYNSDLZPXXPZSSXEDX34KWGJX > > Was wondering if there is a way to decrypt the objects in-place with the > applied symmetric key. I tried to remove > the rgw_crypt_default_encryption_key from the mon configuration database > (on a test cluster), but as expected, RGW daemons throw 500 server errors > as it can not work on encrypted objects. > > There is a PR being worked on about introducing the command option at > https://github.com/ceph/ceph/pull/51842 but it appears it takes some time > to be merged. > > Cheers, > Jayanth Reddy > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |