• Stan Hu's avatar
    Support AWS SSE-KMS in backups · 3963b251
    Stan Hu authored
    AWS supports three different modes for encrypting S3 data:
    
    1. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
    2. Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS
    Key Management Service (SSE-KMS)
    3. Server-Side Encryption with Customer-Provided Keys (SSE-C)
    
    Previously, SSE-S3 and SSE-C were supported via the
    `backup.upload.encryption` and `backup.upload.encryption_key`
    configuration options.
    
    SSE-KMS was previously not supported in backups because there was no way
    to specify which customer-managed key to use. However, we did support
    SSE-KMS with consolidated object storage enabled for other CI artifacts,
    attachments, LFS, etc. Note that SSE-C is NOT supported here.
    
    In consolidated object storage, the `storage_options` Hash provides the
    `server_side_encryption` and `server_side_encryption_kms_key_id`
    parameters that allow admins to configure SSE-KMS. We reuse this
    configuration in backups to support SSE-KMS.
    
    Relates to #338764
    
    Changelog: added
    3963b251
config_spec.rb 5.6 KB