Somehow google workspace ate my answer. So here is a resent: Hi Michael,
Hashicorp vault is sadly not an option. The system is something self developed and half way vaulted compliant. So it does only support the KV engine, not the transit engine. And because of that it seems to only support sse-kms and sadly not sse-s3. This is why I need to force the end user to use the KMS stuff. Cheers Boris Am Mi., 4. Juni 2025 um 17:45 Uhr schrieb Michael Worsham < mwors...@datadimensions.com>: > We use Hashicorp Vault with the SSE-S3 and the transit engine with Vault > handling the KMS for our needs. If they don't have the correct key, you > can't even look at the S3 bucket let alone read or write to it. Each S3 > bucket is assigned a specific uid with access key and secret key, but if > you don't know the KMS key name, you won't be able to access said S3 bucket > as well. > > -- Michael > > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > *From:* Boris <b...@kervyn.de> > *Sent:* Wednesday, June 4, 2025 6:20:38 AM > *To:* ceph-users@ceph.io <ceph-users@ceph.io> > *Subject:* [ceph-users] radosgw force usage of sse-kms? > > This is an external email. Please take care when clicking links or opening > attachments. When in doubt, check with the Help Desk or Security. > > > Hi, > > I am in a project where the requirement is: > - All data MUST be encrypted at rest > - At least one key per customer > - The backend only supports the vault KV as secrect engine, so SSE-s3 is > not an option > > The idea is, that we create a key for the customer and tell them in the > panel that they need to use it and how it will work. > > But how to I prevent the user from uploading unecrypted objects? > > Do I check for a header in the proxy and return a <h1>uhuhuh, you didn't > say the magic word!</h1> when there specific header is missing? And if this > is the way, is there a shema I need to stick to? > > - Boris > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io > This message and its attachments are from Data Dimensions and are intended > only for the use of the individual or entity to which it is addressed, and > may contain information that is privileged, confidential, and exempt from > disclosure under applicable law. If the reader of this message is not the > intended recipient, or the employee or agent responsible for delivering the > message to the intended recipient, you are hereby notified that any > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, please notify > the sender immediately and permanently delete the original email and > destroy any copies or printouts of this email as well as any attachments. > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
