Hello, I've been working on having SSE-S3 work too in the past few days with a v18 cluster (SSE-S3 is only available starting v17 IIRC). First thing to check are the radosgw logs. Don't hesitate to increase them with `debug rgw 20/20` if possible, you'll see the error and vault interactions. Then, you need to configure the radosgw properly. I had a bit of a hard time to figure it out from the docs, but here's my test configuration: ``` rgw_crypt_s3_kms_backend = vault rgw_crypt_sse_s3_vault_secret_engine = transit rgw_crypt_sse_s3_vault_auth = token rgw_crypt_sse_s3_vault_token_file = /run/.rgw-vault-token rgw_crypt_sse_s3_vault_addr = http://172.17.0.1:8200 rgw_crypt_sse_s3_vault_prefix = /v1/transit/ rgw_crypt_sse_s3_vault_verify_ssl = false rgw_crypt_vault_secret_engine = kv rgw_crypt_vault_auth = token rgw_crypt_vault_token_file = /run/.rgw-vault-token rgw_crypt_vault_addr = http://172.17.0.1:8200 rgw_crypt_vault_prefix = /v1/secret/data/ rgw_crypt_vault_verify_ssl = false ``` The sse_s3 configuration keys are the ones used for SSE-S3 while the other (crypt_vault) are used only for SSE-KMS (if I understood everything well). From there and once I used the PutBucketEncryption API to use SSE-S3 as default, everything worked fine. If that still doesn't work on your end, then I guess you'll need to share some logs / errors or request output! Good hacking! _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |