For objects created by the PUT Object, POST Object, or Copy operation, AWS returns MD5(object) for SSE-S3 encrypted objects and random ETag for SSE-C encrypted objects
To preserve security guarantees, we must not store MD5(object) in plaintext as ETag.Hence the ETag has to be stored in encrypted form as Encrypt(ETag = MD5(object))
. However since APIs like ListObject do not require SSE-C key but return ETag information, this forces Minio server to also store encrypted MD5Sum for SSE-S3 and SSE-C, but return random ETag for SSE-C, and MD5(object) for SSE-S3.
In the gateway for double encryption scenario, to maintain compatibility X-Minio-Internal-ETag needs to be maintained with Encrypt(ETag = MD5(object))
, and ETag set at the backend needs to be discarded and return Decrypt(Metadata['X-Minio-Internal-ETag']).
For server side copy operations, the encrypted ETag of original object MD5 needs to be decrypted correctly and re-encrypted with the target side key.