Provide a env variable MINIO_GATEWAY_ENCRYPTION = ON | OFF | BOTH that allows user to configure whether gateway does all the encryption, passes through to the backend storage provider or have gateway encrypt and forward with headers to backend so that backend will re-encrypt the object
Encryption is handled by the backend,SSE headers are forwarded to backend as is the case today.
SSE is handled by the gateway, thus terminating the SSE at gateway. Encrypted object is passed to backend as a plain object without accompanying SSE headers. This will break S3 compatibility
- Amazon disallows presence of more than one of SSE-C, SSE-S3 and SSE-KMS headers on a PutObject/CopyObject request.To support double encryption, this will have to be relaxed to allow specifying upto 2 SSE headers.
- To ensure that users never download gateway encrypted object without proper permission, SSE-C will have to be at backend
-
SSE-C -> both gateway and backend use same customer provided encryption key, gateway encrypts first and passes encrypted object with SSE-C headers to backend for re-encryption.
-
SSE-S3 -> if master key is configured on gateway, gateway encrypts with SSE-S3 using derived per object key from master key, and passes encrypted object to Backend with forwarded SSE-S3 header for further backend encryption with SSE-S3. Downside will be that client can download gateway encrypted object from backend by bypassing minio [As per assumption b, this option has to be ruled out]
-
SSE-KMS -> if KMS is configured on gateway, gateway encrypts with SSE-S3 using plain key generated by KMS, and passes encrypted object to Backend with forwarded SSE-KMS header for further backend encryption with SSE-KMS [as per assumption b, this has to be ruled out]
-
SSE-C + SSE-KMS -> do the SSE-KMS on gateway, let backend do the SSE-C. [ flip side of doing SSE-C on gateway and SSE-KMS on backend is ruled out by assumption b ]
-
SSE-C + SSE-S3 -> do the SSE-S3 on gateway, let backend do the SSE-C. [ flip side of doing SSE-C on gateway and SSE-S3 on backend is ruled out by assumption b ]
-
SSE-KMS + SSE-S3 -> not a possible combination.
I think option 2 (MINIO_GATEWAY_ENCRYPTION=ON (Encryption at gateway)) is invalid. I am guessing that is what you are trying to imply also?