Support customer-provided keys (S3 SSE-C) for encrypted buckets in object storage

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Label this issue
• Close this issue

Overview

We have recently added support for server-side encryption keys on AWS to manage access to encrypted object storage. The support is limited to SSE-S3 and SSE-KMS encryption. However, we are starting to hear requests to support customer-provided keys, which give customers greater control over the management of the keys. So far the requests have been in relation to object storage on AWS and Azure.

Solution

Right now in https://docs.gitlab.com/ee/administration/object_storage.html#encrypted-s3-buckets, we say:

Note that customer master keys (CMKs) and SSE-C encryption are not yet supported since this requires supplying keys to the GitLab configuration

We would need to ensure a few things:

1. The keys get passed to CarrierWave (https://github.com/fog/fog/issues/3168#issuecomment-62343203) and Fog
2. The keys get passed to Workhorse

gitlab-org/charts/gitlab#1012 (comment 352161997) has more details.

Changes needed:

1. CarrierWave: https://github.com/carrierwaveuploader/carrierwave/pull/2504/files
2. Fog: https://github.com/fog/fog-aws/pull/572/files