Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15381863
D10176.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Referenced Files
None
Subscribers
None
D10176.diff
View Options
diff --git a/src/applications/files/engine/PhabricatorS3FileStorageEngine.php b/src/applications/files/engine/PhabricatorS3FileStorageEngine.php
--- a/src/applications/files/engine/PhabricatorS3FileStorageEngine.php
+++ b/src/applications/files/engine/PhabricatorS3FileStorageEngine.php
@@ -72,7 +72,9 @@
$data,
$this->getBucketName(),
$name,
- $acl = 'private');
+ $acl = 'private',
+ $serverSideEncryption = $this->getServerSideEncryption(),
+ $requestHeaders = $this->getRequestHeaders());
$profiler->endServiceCall($call_id, array());
return $name;
@@ -144,6 +146,45 @@
}
/**
+ * Retrieve the desired encryption method for objects stored on S3.
+ *
+ * @task internal
+ */
+ private function getServerSideEncryption() {
+ return PhabricatorEnv::getEnvConfigIfExists(
+ 'storage.s3.serverSideEncryption', '');
+ }
+
+ /**
+ * Set any request headers as needed.
+ *
+ * @task internal
+ */
+ private function getRequestHeaders() {
+ $headers = array();
+
+ $aws_kms_key_id = PhabricatorEnv::getEnvConfig(
+ 'storage.s3.serverSideEncryption.aws-kms-key-id');
+ if ($this->getServerSideEncryption() == 'aws:kms' && $aws_kms_key_id) {
+ $headers[] = array('x-amz-server-side-encryption-aws-kms-key-id' => $aws_kms_key_id);
+ }
+
+ $cust_algo = PhabricatorEnv::getEnvConfig(
+ 'storage.s3.serverSideEncryption.customer.algorithm');
+ $cust_key = PhabricatorEnv::getEnvConfig(
+ 'storage.s3.serverSideEncryption.customer.key');
+ if ($cust_algo && $cust_key) {
+ $headers[] = array(
+ 'x-amz-server-side-encryption-customer-algorithm' => $cust_algo,
+ 'x-amz-server-side-encryption-customer-key' => base64_encode($cust_key),
+ 'x-amz-server-side-encryption-customer-key-MD5' => base64_encode(md5($cust_key)),
+ );
+ }
+
+ return $headers;
+ }
+
+ /**
* Create a new S3 API object.
*
* @task internal
diff --git a/src/docs/user/configuration/configuring_file_storage.diviner b/src/docs/user/configuration/configuring_file_storage.diviner
--- a/src/docs/user/configuration/configuring_file_storage.diviner
+++ b/src/docs/user/configuration/configuring_file_storage.diviner
@@ -166,6 +166,26 @@
- `amazon-s3.secret-key`: Your AWS secret key.
- `storage.s3.bucket`: S3 bucket name where files should be stored.
+Optionally, you may also configure the use of one of S3's three types of
+server-side encryption (SSE-S3, SSE-KMS, SSE-C). See
+[[ https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html |
+S3's SSE documention ]] for more information and the values you may
+wish to use for the following keys:
+
+ - `storage.s3.serverSideEncryption`: The value to send in the
+ `x-amz-server-side-encryption` header (e.g., 'AES256' or 'aws:kms').
+
+ - `storage.s3.serverSideEncryption.aws-kms-key-id`: The value to send in the
+ `x-amz-server-side-encryption-aws-kms-key-id` header.
+
+ - `storage.s3.serverSideEncryption.customer.algorithm`: The value to send in
+ the `x-amz-server-side-encryption-customer-algorithm` header (e.g.,
+ 'AES256').
+
+ - `storage.s3.serverSideEncryption.customer.key`: The value to send in the
+ `x-amz-server-side-encryption-customer-key` header. Note that this will be
+ encoded as base64 when sending.
+
Testing Storage Engines
=======================
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sat, Mar 15, 9:41 AM (1 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7689167
Default Alt Text
D10176.diff (3 KB)
Attached To
Mode
D10176: Add server-side-encryption support to S3StorageEngine
Attached
Detach File
Event Timeline
Log In to Comment