Add support for AWS S3 Server Side Encryption (SSE-KMS) (!537) · Merge requests · GitLab.org / gitlab-workhorse

Stan Hu requested to merge sh-add-s3-encryption into master Jul 26, 2020

Prior to this change, uploads to AWS S3 were only encrypted on the server if a default encryption were specified on the bucket.

With this change, admins can now configure the encryption and the AWS Key Management Service (KMS) key ID in GitLab Rails, and the configuration will be used in uploads. Bucket policies to enforce encryption can now be used since Workhorse sends the required headers (x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id). The bucket policy cannot be enforced with default encryption, since that is applied after the check.

This requires the changes in gitlab!38240 (merged) to work.

Part of gitlab#22200 (closed)

Edited Aug 06, 2020 by Stan Hu

Add support for AWS S3 Server Side Encryption (SSE-KMS)

Merge request reports