Support for rotation of SSE-C keys. #934
Description
How to categorize this issue?
/area backup
/kind api-change
What would you like to be added:
I'm proposing to add support for reading backups from S3 using multiple keys while keeping one key as the active one for writing. This would allow rotation of these keys which is currently not possible.
Why is this needed:
Currently etcb support using SSE-C key while uploading and downloading the backups to S3, but this support just single key. That causes impossibility to remove the SSE-C encryption or changing the key once it was used. I'm proposing to add support for using multiple keys for reading (since there is no way to find out which key was used for upload, we would try one by one) and using the first key for writing. The proposal is to replace the original file with SSE-C key with json structure.
I'm working at Akamai (formerly Linode) on our internal implementation and I'll soon have a patch which we would be able to upstream, so I'd like to gather feedback if there would be a desire for that, since the SSE-C support is already there.
This is the example of encryption config file which would replace the sseCustomerKey:
{
"algorithm": "AES256",
"disableEncryptionForWriting": false,
"keys": [
{
"id": "primary-key-2024",
"value": "base64-encoded-32-byte-key"
},
{
"id": "backup-key-2023",
"value": "another-base64-encoded-32-byte-key"
}
]
}