We use Hashicorp Vault with the SSE-S3 and the transit engine with Vault handling the KMS for our needs. If they don't have the correct key, you can't even look at the S3 bucket let alone read or write to it. Each S3 bucket is assigned a specific uid with access key and secret key, but if you don't know the KMS key name, you won't be able to access said S3 bucket as well.
-- Michael Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Boris <b...@kervyn.de> Sent: Wednesday, June 4, 2025 6:20:38 AM To: ceph-users@ceph.io <ceph-users@ceph.io> Subject: [ceph-users] radosgw force usage of sse-kms? This is an external email. Please take care when clicking links or opening attachments. When in doubt, check with the Help Desk or Security. Hi, I am in a project where the requirement is: - All data MUST be encrypted at rest - At least one key per customer - The backend only supports the vault KV as secrect engine, so SSE-s3 is not an option The idea is, that we create a key for the customer and tell them in the panel that they need to use it and how it will work. But how to I prevent the user from uploading unecrypted objects? Do I check for a header in the proxy and return a <h1>uhuhuh, you didn't say the magic word!</h1> when there specific header is missing? And if this is the way, is there a shema I need to stick to? - Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io This message and its attachments are from Data Dimensions and are intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and permanently delete the original email and destroy any copies or printouts of this email as well as any attachments. _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
