#946: Implement SSE-KMS and SSE-C for AWS S3

[alex-laties]

Implements #946

• [] I added CHANGELOG entry for this change.
• [] Change is not relevant to the end user.

Changes

Added support for parsing and passing along AWS S3 SSE-KMS and SSE-C mode configuration details. Seemed pretty easy.

Adds the following config vars:

• sse_s3 - essentially the new encrypt_sse, enables SSE-S3 mode.
• sse_kms_id - enables SSE-KMS mode when set.
• sse_kms_context - optional map of string keys and values for the KMS Context.
• sse_c_key - enables SSE-C mode when set. expects a filepath.

encrypt_sse is kept as an alias for sse_s3, as that's what encrypt_sse currently does, and it seems silly to break valid configuration files from prior to this change for little reason.

Note that KMS and C mode both supersede and override SSE-S3 mode currently. This allows for syntax like:

encrypt_sse: true
sse_c_key: "/path/to/my/key"

to work as expected.

KMS and C mode are mutually exclusive, and trying to enable both currently throws an error.
E.G.

# this is invalid and will throw an error during validation
sse_c_key: "/path/to/my/key"
sse_kms_id: "myid"

Verification

Haven't yet really... would like some help from @jujugrrr to validate the code does what I think it does before going any further really.

[bwplotka]

Nice! One suggestion really.

[bwplotka]

I think we want something like this, but what about, since we are in struct make it more generic? The problem with this approach is that the relation if user will see ALL three of them is not really sure.

It should be clear that you can either set sse_s3, see_c or see_kms if possible... (:

Or at least let's create SSE SSEConfig field and put all of those in such struct. I think that would work. Also let's remove legacy field and add CHANGELOG item for removal of this. What do you think?

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. Please comment on status otherwise the issue will be closed in a week. Thank you for your contributions.

[arshvin]

It seems like this feature should work but probably not in my environment. During attempts to upload the new block into AWS S3 store or to read meta.json file of already uploaded block with help by AWS CLI, I only get 403 http-error. Unfortunately I have no access to AWS Console to touch the knobs but from the other side I've tried to put files to and get files from this bucket with SSE-KMS with help by peace of code which uses the same version of the minio-go labrary (6.0.49). What's a miserable week (