Additional options#
Server-side encryption#
cunoFS fully supports server-side encryption for both streaming to and from remote locations. That includes server-side encryption with customer-provided encryption keys (SSE-C) that allows users to set their own encryption keys. Users are responsible for managing their encryption keys as well as providing them as part of every remote request. As a result, users have to provide custom keys to cunoFS.
SSE in AWS S3#
cunoFS fully supports the default behavior in AWS to always encrypt the user data on the server side, before it is written to disk. cunoFS also supports customer-supplied encryption using AES-256 keys. For more information see the AWS documentation.
In AWS S3, users specify their encryption options by setting the AWS_S3OPTIONS
environment variable.
The available encryption options are the same as those provided by awscli
.
For example, the following:
export AWS_S3OPTIONS="--sse-write-c AES256 --sse-write-c-key xxxxxxxxxxxxxxxxxx"
enables AES256 server-side encryption with a customer-provided key. All available options follow:
|
Specifies server-side encryption of the object in S3. Valid values are |
|
This parameter should only be specified when reading an S3 object that was encrypted server-side with
a customer-provided key. It specifies the algorithm to use when decrypting the source object.
|
|
This parameter should be specified when reading an S3 object that was encrypted server-side with a
customer-provided key. Specifies the customer-provided encryption key for Amazon S3 to use to decrypt
the source object. The encryption key provided must be one that was used when the source object was
created. |
|
Specifies server-side encryption for writing an S3 object using customer provided keys of the object
in S3. |
|
The customer-provided encryption key to use to server-side encrypt the object in S3. If you provide
this value, |
|
The AWS KMS key ID that should be used to server-side encrypt the object in S3. Note that you should only provide this parameter if the KMS key ID is different from the default S3 master KMS key. |
Note that AWS KMS keys are required only for writing encrypted objects. Reading of encrypted objects does not require the corresponding KMS key to be specified. Furthermore, only one of --sse-write-c-key
and --sse-kms-key-id
options can be enabled at a time. To use encryption with alternate paths the corresponding ALT_AWS_S3OPTIONS
environment variable must be set.
SSE in Google Cloud Storage#
cunoFS fully supports the default behavior in Google Cloud Storage to always encrypt the user data on the server side, before it is written to disk. In addition to this option, cunoFS also supports customer-supplied encryption using AES-256 keys. For more information see:
To enable the SSE-C option the user must set the GS_ENCRYPTION
environment variable. For example:
export GS_ENCRYPTION="--sse-write-c-key xxxxxxxxxxxxxxxxxx"
enables AES256 server-side encryption with the specified customer-provided key.
Available options for encryption using customer-provided keys:
|
This parameter should be specified when reading a remote object on Google Cloud Storage that was encrypted server-side with a customer-provided key. Specifies the customer-provided encryption key for Google Storage to use to decrypt the source object. The encryption key provided must be one that was used when the source object was created. |
|
The customer-provided encryption key to use to server-side encrypt the object in Google Cloud Storage when writing. The key provided should not be base64 encoded. cunoFS is also fully compatible with Google’s cloud-hosted key management service (KMS).
Customer-managed keys used in encryption are provided |
|
The Cloud KMS key that should be used to server-side encrypt the object in Google Cloud Storage. Note that you should only provide this parameter if KMS key ID is different than the default KMS key associated with the remote bucket. Note that Cloud KMS keys are required only for writing encrypted objects. Reading of encrypted object
does not require the corresponding Cloud KMS key to be specified. Furthermore, only one of
code:–sse-write-c-key and |
SSE in Microsoft Azure#
Server-side encryption is always enabled at rest in Azure for all containers. It is the default, and cannot be disabled.