AWS: add support for arbitrary SSE algorithms, e.g. AES256 (#1869)

* AWS: add support for arbitrary SSE algorithms, e.g. AES256 Signed-off-by: Steve Kriss <krisss@vmware.com>
2026-01-08 06:15:40 +00:00 · 2019-09-12 11:13:46 -06:00
parent 756c66c408
commit bc60412f29
3 changed files with 34 additions and 22 deletions
--- a/changelogs/unreleased/1869-skriss
+++ b/changelogs/unreleased/1869-skriss
@@ -0,0 +1 @@
+AWS: add support for SSE-S3 AES256 encryption via `serverSideEncryption` config field in BackupStorageLocation
--- a/pkg/cloudprovider/aws/object_store.go
+++ b/pkg/cloudprovider/aws/object_store.go
@@ -36,13 +36,14 @@ import (
 )

 const (
-	s3URLKey             = "s3Url"
-	publicURLKey         = "publicUrl"
-	kmsKeyIDKey          = "kmsKeyId"
-	s3ForcePathStyleKey  = "s3ForcePathStyle"
-	bucketKey            = "bucket"
-	signatureVersionKey  = "signatureVersion"
-	credentialProfileKey = "profile"
+	s3URLKey                = "s3Url"
+	publicURLKey            = "publicUrl"
+	kmsKeyIDKey             = "kmsKeyId"
+	s3ForcePathStyleKey     = "s3ForcePathStyle"
+	bucketKey               = "bucket"
+	signatureVersionKey     = "signatureVersion"
+	credentialProfileKey    = "profile"
+	serverSideEncryptionKey = "serverSideEncryption"
 )

 type s3Interface interface {
@@ -54,12 +55,13 @@ type s3Interface interface {
 }

 type ObjectStore struct {
-	log              logrus.FieldLogger
-	s3               s3Interface
-	preSignS3        s3Interface
-	s3Uploader       *s3manager.Uploader
-	kmsKeyID         string
-	signatureVersion string
+	log                  logrus.FieldLogger
+	s3                   s3Interface
+	preSignS3            s3Interface
+	s3Uploader           *s3manager.Uploader
+	kmsKeyID             string
+	signatureVersion     string
+	serverSideEncryption string
 }

 func NewObjectStore(logger logrus.FieldLogger) *ObjectStore {
@@ -83,18 +85,20 @@ func (o *ObjectStore) Init(config map[string]string) error {
 		s3ForcePathStyleKey,
 		signatureVersionKey,
 		credentialProfileKey,
+		serverSideEncryptionKey,
 	); err != nil {
 		return err
 	}

 	var (
-		region              = config[regionKey]
-		s3URL               = config[s3URLKey]
-		publicURL           = config[publicURLKey]
-		kmsKeyID            = config[kmsKeyIDKey]
-		s3ForcePathStyleVal = config[s3ForcePathStyleKey]
-		signatureVersion    = config[signatureVersionKey]
-		credentialProfile   = config[credentialProfileKey]
+		region               = config[regionKey]
+		s3URL                = config[s3URLKey]
+		publicURL            = config[publicURLKey]
+		kmsKeyID             = config[kmsKeyIDKey]
+		s3ForcePathStyleVal  = config[s3ForcePathStyleKey]
+		signatureVersion     = config[signatureVersionKey]
+		credentialProfile    = config[credentialProfileKey]
+		serverSideEncryption = config[serverSideEncryptionKey]

 		// note that bucket is automatically added to the config map
 		// by the server from the ObjectStorageProviderConfig so
@@ -135,6 +139,7 @@ func (o *ObjectStore) Init(config map[string]string) error {
 	o.s3 = s3.New(serverSession)
 	o.s3Uploader = s3manager.NewUploader(serverSession)
 	o.kmsKeyID = kmsKeyID
+	o.serverSideEncryption = serverSideEncryption

 	if signatureVersion != "" {
 		if !isValidSignatureVersion(signatureVersion) {
@@ -193,10 +198,15 @@ func (o *ObjectStore) PutObject(bucket, key string, body io.Reader) error {
 		Body:   body,
 	}

-	// if kmsKeyID is not empty, enable "aws:kms" encryption
-	if o.kmsKeyID != "" {
+	switch {
+	// if kmsKeyID is not empty, assume a server-side encryption (SSE)
+	// algorithm of "aws:kms"
+	case o.kmsKeyID != "":
 		req.ServerSideEncryption = aws.String("aws:kms")
 		req.SSEKMSKeyId = &o.kmsKeyID
+	// otherwise, use the SSE algorithm specified, if any
+	case o.serverSideEncryption != "":
+		req.ServerSideEncryption = aws.String(o.serverSideEncryption)
 	}

 	_, err := o.s3Uploader.Upload(req)
--- a/site/docs/master/api-types/backupstoragelocation.md
+++ b/site/docs/master/api-types/backupstoragelocation.md
@@ -51,6 +51,7 @@ The configurable parameters are as follows:
 | `s3ForcePathStyle` | bool | `false` | Set this to `true` if you are using a local storage service like Minio. |
 | `s3Url` | string | Required field for non-AWS-hosted storage| *Example*: http://minio:9000<br><br>You can specify the AWS S3 URL here for explicitness, but Velero can already generate it from `region`, and `bucket`. This field is primarily for local storage services like Minio.|
 | `publicUrl` | string | Empty | *Example*: https://minio.mycluster.com<br><br>If specified, use this instead of `s3Url` when generating download URLs (e.g., for logs). This field is primarily for local storage services like Minio.|
+| `serverSideEncryption` | string | Empty | The name of the server-side encryption algorithm to use for uploading objects, e.g. `AES256`. If using SSE-KMS and `kmsKeyId` is specified, this field will automatically be set to `aws:kms` so does not need to be specified by the user. | 
 | `kmsKeyId` | string | Empty | *Example*: "502b409c-4da1-419f-a16e-eif453b3i49f" or "alias/`<KMS-Key-Alias-Name>`"<br><br>Specify an [AWS KMS key][10] id or alias to enable encryption of the backups stored in S3. Only works with AWS S3 and may require explicitly granting key usage rights.|
 | `signatureVersion` | string | `"4"` | Version of the signature algorithm used to create signed URLs that are used by velero cli to download backups or fetch logs. Possible versions are "1" and "4". Usually the default version 4 is correct, but some S3-compatible providers like Quobyte only support version 1.|
 | `profile` | string | "default" | AWS profile within the credential file to use for given store |
				`@@ -0,0 +1 @@`
				AWS: add support for SSE-S3 AES256 encryption via `serverSideEncryption` config field in BackupStorageLocation