[ceph-users] Object Gateway - Server Side Encryption

Thu, 25 Apr 2019 08:34:16 -0700 

Hello Amardeep

We are trying the same as you on luminous.

s3cmd --access_key xxx  --secret_key xxx  --host-bucket '%(bucket)s.s3.xxx.ch' 
--host s3.xxx.ch --signature-v2 --no-preserve --server-side-encryption \
--server-side-encryption-kms-id 
https://barbican.service.xxx.ch/v1/secrets/ffa60094-f88b-41a4-b63f-c07a017ad2b5 
put hello.txt3 s3://test/hello.txt3

upload: 'hello.txt3' -> 's3://test/hello.txt3'  [1 of 1]
 13 of 13   100% in    0s    14.25 B/s  done
ERROR: S3 error: 400 (InvalidArgument): Failed to retrieve the actual key, 
kms-keyid: 
https://barbican.service.xxx.ch/v1/secrets/ffa60094-f88b-41a4-b63f-c07a017ad2b5

openstack --os-cloud fsc-ac secret get 
https://barbican.service.xxx.ch/v1/secrets/ffa60094-f88b-41a4-b63f-c07a017ad2b5
+---------------+----------------------------------------------------------------------------------+
| Field         | Value                                                         
                   |
+---------------+----------------------------------------------------------------------------------+
| Secret href   | 
https://barbican.service.xxx.ch/v1/secrets/ffa60094-f88b-41a4-b63f-c07a017ad2b5 
|
| Name          | fsc-key3                                                      
                   |
| Created       | 2019-04-25T14:31:52+00:00                                     
                   |
| Status        | ACTIVE                                                        
                   |
| Content types | {u'default': u'application/octet-stream'}                     
                   |
| Algorithm     | aes                                                           
                   |
| Bit length    | 256                                                           
                   |
| Secret type   | opaque                                                        
                   |
| Mode          | cbc                                                           
                   |
| Expiration    | 2020-01-01T00:00:00+00:00                                     
                   |
+---------------+----------------------------------------------------------------------------------+

We also tried using --server-side-encryption-kms-id 
ffa60094-f88b-41a4-b63f-c07a017ad2b5
or --server-side-encryption-kms-id fsc-key3 with the same error.


vim /etc/ceph/ceph.conf
    rgw barbican url = https://barbican.service.xxx.ch
    rgw keystone barbican user = rgwcrypt
    rgw keystone barbican password = xxx
    rgw keystone barbican project = service
    rgw keystone barbican domain = default
    rgw crypt require ssl = false

Thank you in advance for your help.



Best Regards

Francois Scheurer

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to