Commit 1b3ffdf2 authored by Pepijn Van Eeckhoudt's avatar Pepijn Van Eeckhoudt Committed by James Lopez

Add SSE-C key configuration option for Amazon S3 remote backups

parent 00ac520e
title: Add support for customer provided encryption keys for Amazon S3 remote backups
merge_request: 23797
author: Pepijn Van Eeckhoudt
type: added
...@@ -635,6 +635,10 @@ production: &base ...@@ -635,6 +635,10 @@ production: &base
# multipart_chunk_size: 104857600 # multipart_chunk_size: 104857600
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
# # encryption: 'AES256' # # encryption: 'AES256'
# # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
# # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
# # 'encryption' must also be set in order for this to have any effect.
# # encryption_key: '<base64 key>'
# # Specifies Amazon S3 storage class to use for backups, this is optional # # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD' # # storage_class: 'STANDARD'
......
...@@ -392,6 +392,7 @@ Settings.backup['archive_permissions'] ||= 0600 ...@@ -392,6 +392,7 @@ Settings.backup['archive_permissions'] ||= 0600
Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil }) Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil })
Settings.backup['upload']['multipart_chunk_size'] ||= 104857600 Settings.backup['upload']['multipart_chunk_size'] ||= 104857600
Settings.backup['upload']['encryption'] ||= nil Settings.backup['upload']['encryption'] ||= nil
Settings.backup['upload']['encryption_key'] ||= ENV['GITLAB_BACKUP_ENCRYPTION_KEY']
Settings.backup['upload']['storage_class'] ||= nil Settings.backup['upload']['storage_class'] ||= nil
# #
......
...@@ -311,6 +311,11 @@ For installations from source: ...@@ -311,6 +311,11 @@ For installations from source:
remote_directory: 'my.s3.bucket' remote_directory: 'my.s3.bucket'
# Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
# encryption: 'AES256' # encryption: 'AES256'
# Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
# This should be set to the base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
# 'encryption' must also be set in order for this to have any effect.
# To avoid storing the key on disk, the key can also be specified via the `GITLAB_BACKUP_ENCRYPTION_KEY` environment variable.
# encryption_key: '<base64 key>'
# Specifies Amazon S3 storage class to use for backups, this is optional # Specifies Amazon S3 storage class to use for backups, this is optional
# storage_class: 'STANDARD' # storage_class: 'STANDARD'
``` ```
......
...@@ -50,6 +50,7 @@ module Backup ...@@ -50,6 +50,7 @@ module Backup
if directory.files.create(key: remote_target, body: File.open(tar_file), public: false, if directory.files.create(key: remote_target, body: File.open(tar_file), public: false,
multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size, multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size,
encryption: Gitlab.config.backup.upload.encryption, encryption: Gitlab.config.backup.upload.encryption,
encryption_key: Gitlab.config.backup.upload.encryption_key,
storage_class: Gitlab.config.backup.upload.storage_class) storage_class: Gitlab.config.backup.upload.storage_class)
progress.puts "done".color(:green) progress.puts "done".color(:green)
else else
......
...@@ -266,6 +266,7 @@ describe Backup::Manager do ...@@ -266,6 +266,7 @@ describe Backup::Manager do
remote_directory: 'directory', remote_directory: 'directory',
multipart_chunk_size: 104857600, multipart_chunk_size: 104857600,
encryption: nil, encryption: nil,
encryption_key: nil,
storage_class: nil storage_class: nil
} }
) )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment