Support customer-provided keys (S3 SSE-C) for encrypted buckets in object storage
Overview
We have recently added support for server-side encryption keys on AWS to manage access to encrypted object storage. The support is limited to SSE-S3 and SSE-KMS encryption. However, we are starting to hear requests to support customer-provided keys, which give customers greater control over the management of the keys. So far the requests have been in relation to object storage on AWS and Azure.
Solution
Right now in https://docs.gitlab.com/ee/administration/object_storage.html#encrypted-s3-buckets, we say:
Note that customer master keys (CMKs) and SSE-C encryption are not yet supported since this requires supplying keys to the GitLab configuration
We would need to ensure a few things:
- The keys get passed to CarrierWave (https://github.com/fog/fog/issues/3168#issuecomment-62343203) and Fog
- The keys get passed to Workhorse
gitlab-org/charts/gitlab#1012 (comment 352161997) has more details.
Changes needed: